System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| EN 12604 | — |
| EN 13232-4 | — |
| EN 13232-7 | — |
| EN 50121-4 | — |
| EN 50123 | — |
| EN 50125-3 | — |
| EN 50128 | Railway applications — Communication, signalling and processing systems — Software for railway control and protection systems |
| EN 50129 | Railway applications — Communication, signalling and processing systems — Safety related electronic systems for signalling |
| EN 50159 | — |
| EN 50238 | — |
| ERTMS | — |
| ERTMS timeout that triggers onboard emergency braking if no valid safe message is received. The RBC side must mirror this detection to revoke the MA and prevent the track section from being allocated to another train while the disconnected train may still be occupying it. Without this | — |
| ETCS | — |
| ETCS Level 2 | — |
| ETCS Level 2 cab signalling in addition to lineside signals | — |
| ETCS Level 2 operations. Verify IFC | — |
| ETCS Level 2 to protect non | — |
| ETCS MA computation | — |
| ETCS MA computation of 2s leave no margin for network recovery. Any frame loss during failover could delay safety | — |
| ETCS MA delivery is unaffected by AWS | — |
| ETCS MA includes restriction within 2 seconds | — |
| ETCS RBC derives movement authorities from interlocking route status. RaSTA is the mandated safety protocol for ETCS Level 2 per SUBSET | — |
| ETCS RBC test simulator. Set and release routes while measuring end | — |
| ETCS RBC. Verify IFC | — |
| ETCS Radio Block Centre | — |
| ETCS Radio Block Centre SHALL provide route status data | — |
| ETCS Radio Block Centre for inclusion in movement authorities | — |
| ETCS application | — |
| ETCS application message size per SUBSET | — |
| ETCS application messages conforming to SUBSET | — |
| ETCS application messages of varying sizes | — |
| ETCS deployment on TEN | — |
| ETCS emergency stop messages to all affected trains within 500 milliseconds | — |
| ETCS equipment using SUBSET | — |
| ETCS fitment. During the ETCS transition period | — |
| ETCS fitment. During the ETCS transition period non | — |
| ETCS movement authorities to ETCS | — |
| ETCS movement authorities via SUBSET | — |
| ETCS movement authority includes the speed restriction in the MA speed profile sent to test trains. Verify signaller workstation displays TSR location | — |
| ETCS operation. AWS | — |
| ETCS paths simultaneously because a mismatch between lineside indication and ETCS MA speed profile would create hazardous inconsistency. The 5 | — |
| ETCS re | — |
| ETCS supervised braking curves use the EOA as the zero | — |
| ETCS supervision sessions for a minimum of 60 trains | — |
| ETCS unit within 5 seconds of receiving the session initiation request | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 62439-3 | — |
| IEEE 1588 | Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems |
| IEEE 1588v2 | Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems |
| IEEE 802.3ab | Standard for Ethernet |
| ISO 9241-305 | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| AWS | Automatic Warning System |
| CCCS | Completeness, Consistency, Correctness, Stability |
| EARS | Easy Approach to Requirements Syntax |
| IFC | Interface Requirements |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| TPWS | Warning System |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
flowchart TB n0["system<br>Railway Signalling System"] n1["actor<br>Train on-board systems"] n2["actor<br>Signaller"] n3["actor<br>Railway infrastructure"] n4["actor<br>Maintenance management system"] n5["actor<br>Road users and pedestrians"] n6["actor<br>National timetable system"] n0 -->|Movement authority, cab signals| n1 n1 -->|Train position, speed, braking| n0 n2 -->|Route requests, override commands| n0 n0 -->|Track state display, alarms| n2 n3 -->|Track circuit currents, point feedback| n0 n0 -->|Fault logs, diagnostics| n4 n0 -->|Level crossing warnings| n5 n6 -->|Planned timetable, route schedules| n0
Railway Signalling System — Context
flowchart TB n0["system<br>Railway Signalling System"] n1["subsystem<br>Computer-Based Interlocking"] n2["subsystem<br>Train Detection Subsystem"] n3["subsystem<br>ETCS Radio Block Centre"] n4["subsystem<br>Colour-Light Signalling Output"] n5["subsystem<br>Points and Crossing Drive System"] n6["subsystem<br>Level Crossing Protection System"] n7["subsystem<br>Traffic Management System"] n8["subsystem<br>Signaller Workstation"] n9["subsystem<br>Signalling Communication Network"] n10["subsystem<br>Signalling Power Supply System"] n11["subsystem<br>Signalling Diagnostic and Monitoring System"] n2 -->|Track occupancy data| n1 n1 -->|Signal aspect commands| n4 n1 -->|Point drive commands| n5 n5 -->|Point detection feedback| n1 n1 -->|Crossing activation trigger| n6 n1 -->|Route status for MA computation| n3 n7 -->|Automatic route requests| n1 n1 -->|Interlocking state display| n8 n8 -->|Signaller commands| n1 n9 -->|Data transport| n1
Railway Signalling System — Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-NEEDS-CON-005 | The Railway Signalling System SHALL provide ETCS Level 2 cab signalling in addition to lineside signals, enabling mixed-traffic operation with both ETCS-fitted and non-ETCS-fitted rolling stock during the transition period. Rationale: European regulatory mandate (TSI CCS) requires ETCS deployment on TEN-T corridors. However, the transition period demands dual signalling (lineside + cab) because the entire fleet cannot be retrofitted simultaneously. The system must therefore provide both modalities concurrently without degrading safety or capacity for either traffic type. | Test | stakeholder, interoperability, session-299 |
| STK-NEEDS-OPS-001 | The Railway Signalling System SHALL prevent any two trains from simultaneously occupying the same track section, and SHALL prevent conflicting movements at junctions, to a tolerable hazard rate of no worse than 10^-9 per operating hour. Rationale: Fundamental safety requirement deriving from CENELEC EN 50129 safety case obligations and UK Railway Group Standard GK/RT0045. The 10^-9/h THR aligns with SIL 4 for catastrophic hazards (head-on collision, side collision at junctions). This is the primary raison d'etre of the signalling system — without guaranteed train separation, no safe railway operation is possible. | Analysis | stakeholder, safety, session-299 |
| STK-NEEDS-OPS-004 | The Railway Signalling System SHALL be maintainable by a team of 6 signalling technicians per 100 route-km, with mean time to repair not exceeding 2 hours for any single equipment failure. Rationale: Maintenance staffing levels are constrained by the infrastructure manager's budget and recruitment pipeline. 6 technicians per 100 route-km reflects current UK Network Rail norms. The 2-hour MTTR ensures that degraded-mode operation (which typically halves capacity) does not persist across peak traffic periods. | Demonstration | stakeholder, maintainability, session-299 |
| STK-NEEDS-OPS-006 | The Railway Signalling System SHALL protect all road-rail level crossings such that road users are warned and barriers are in position at least 20 seconds before the fastest train reaches the crossing, for all train speeds up to 160 km/h. Rationale: Level crossing collisions are the single largest category of railway fatalities in Europe. The 20-second minimum warning time is derived from road user clearance time calculations per Railway Group Standard RT/E/S/11200, accounting for a 60m road vehicle clearing the crossing at 5 km/h. Below 20 seconds, road users cannot reliably clear the danger zone. | Test | stakeholder, safety, level-crossing, session-299 |
| STK-NEEDS-PERF-002 | The Railway Signalling System SHALL support a minimum headway of 2 minutes between successive trains on main running lines to enable the planned timetable capacity of 30 trains per hour per direction. Rationale: Capacity requirement driven by the infrastructure manager's timetable planning. The 2-minute headway is typical of high-capacity mainline corridors (e.g., UK East Coast or West Coast Main Line). Below this headway, signalling becomes the bottleneck and timetable paths are lost. The 30 trains/hour/direction target derives from franchise commitments and passenger demand forecasts. | Test | stakeholder, performance, session-299 |
| STK-NEEDS-PERF-003 | The Railway Signalling System SHALL achieve an operational availability of at least 99.99% measured annually, with no single equipment failure causing total loss of signalling capability across more than one signal section. Rationale: Railway operators face severe financial penalties for service disruption. 99.99% availability (52 minutes downtime per year maximum) is the standard for UK mainline signalling renewals. The single-failure containment requirement prevents common-cause failures from cascading across the controlled area, which would strand hundreds of trains simultaneously. | Analysis | stakeholder, availability, session-299 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQS-ENV-007 | While installed in trackside locations, the Railway Signalling System outdoor equipment SHALL operate continuously within specification across an ambient temperature range of −40°C to +70°C, relative humidity up to 100% (condensing), and electromagnetic compatibility per EN 50121-4 for emissions and immunity in the railway electromagnetic environment. Rationale: Trackside equipment is exposed to extreme conditions: sub-zero winter temperatures (especially in Scandinavian or Scottish deployments), solar heating of equipment cases to +70°C in summer, traction return current EMI up to 2000A at 50Hz, and continuous weather exposure. EN 50121-4 is the railway-specific EMC standard that ensures signalling equipment is neither disrupted by nor disrupts traction and communications equipment. | Test | system, environmental, session-299 |
| SYS-REQS-FUNC-001 | The Railway Signalling System SHALL implement vital interlocking logic that enforces all route-locking, flank protection, and overlap-locking constraints, achieving a wrong-side failure rate of no worse than 10^-9 per operating hour as determined by quantitative safety analysis per EN 50129. Rationale: Direct derivation from STK-NEEDS-OPS-001. The 10^-9/h THR is allocated to the interlocking function because wrong-side signal failures (showing a proceed aspect when the route is not safe) are the primary hazard mechanism. EN 50129 requires this to be demonstrated through a combination of hardware reliability analysis (failure modes), software safety integrity (EN 50128 SIL 4 process), and systematic capability assessment. | Analysis | rt-mechanical-trace, red-team-session-522 |
| SYS-REQS-FUNC-003 | The Railway Signalling System SHALL employ redundant processing in all vital subsystems such that no single hardware failure causes loss of safe signalling function, with automatic failover completing within 500 milliseconds and without any transient wrong-side output. Rationale: Derives from 99.99% availability requirement. Single-failure tolerance is achieved through 2oo2 or 2oo3 voting architectures in the interlocking and hot-standby in the RBC. The 500ms failover bound ensures that train detection continuity is maintained — track circuits that lose processing for >2s may falsely indicate clear when a train is present (rail voltage recovery artefact). | Test | rt-mechanical-trace, red-team-session-522 |
| SYS-REQS-FUNC-004 | The Railway Signalling System SHALL detect the presence of any rail vehicle with a minimum axle load of 30 kg within a track section, and SHALL report track section occupancy to the interlocking with a false-clear failure rate no worse than 10^-9 per operating hour. Rationale: Derives from STK-NEEDS-OPS-001. Train detection is the primary input to the interlocking — if a track section falsely shows clear when occupied, the interlocking may set a conflicting route. The 30kg minimum axle load covers all known rail vehicles including lightweight engineering trolleys. The 10^-9/h THR matches the interlocking allocation because a false-clear detection is functionally equivalent to an interlocking wrong-side failure. | Test | system, safety, train-detection, session-299 |
| SYS-REQS-FUNC-005 | The Railway Signalling System SHALL compute and transmit ETCS movement authorities to ETCS-fitted trains within 2 seconds of the triggering interlocking state change, via the Radio Block Centre over GSM-R with end-of-authority accuracy of 1 metre. Rationale: Derives from STK-NEEDS-CON-005. The 2-second latency ensures ETCS-fitted trains receive updated MAs before they reach their current end-of-authority at line speed, preventing unnecessary emergency braking. The 1-metre EOA accuracy is required because ETCS supervised braking curves use the EOA as the zero-speed target point — larger errors could permit overrun into an occupied section or force unnecessarily early braking. | Test | rt-mechanical-trace, red-team-session-522 |
| SYS-REQS-FUNC-006 | When a train is detected approaching a level crossing, the Railway Signalling System SHALL activate road warning signals and initiate barrier descent such that the full protection sequence (lights, audible warning, barrier down and proved) is complete at least 20 seconds before train arrival at the crossing, for approach speeds up to 160 km/h. Rationale: Direct derivation from STK-NEEDS-OPS-006. The approach detection point must be calculated from the maximum approach speed (160 km/h = 44.4 m/s) plus the full protection sequence time (typically 27-32s for half-barrier). At 160 km/h, the approach detection point is approximately 2.3 km from the crossing. Timing margins must account for track circuit pick-up delay (<1s) and barrier descent time (8-12s). | Test | system, safety, level-crossing, session-299 |
| SYS-REQS-FUNC-008 | The Railway Signalling System SHALL provide Automatic Warning System (AWS) and Train Protection and Warning System (TPWS) trackside equipment at all signals and speed restrictions, operating concurrently with ETCS Level 2 to protect non-ETCS-fitted trains and provide defence-in-depth for ETCS-fitted trains during the transition period, achieving a TPWS intervention reliability of at least 99.9% per demand. Rationale: UK Railway Group Standard GK/RT0045 and RSSB mandate AWS/TPWS at all controlled signals regardless of ETCS fitment. During the ETCS transition period, the fleet will include non-ETCS-fitted trains that rely exclusively on lineside signalling with AWS/TPWS as the final safety net against SPAD. Even for ETCS-fitted trains, AWS/TPWS provides an independent overlay protection layer. Removing AWS/TPWS prematurely would expose non-fitted trains to unmitigated SPAD risk. The 99.9% reliability target is per Railway Safety Principles and Guidance Part 2 Section E. | Test | rt-mechanical-trace, red-team-session-522 |
| SYS-REQS-FUNC-009 | The Railway Signalling System SHALL provide Automatic Warning System and Train Protection and Warning System trackside equipment at all signals and speed restrictions, operating concurrently with ETCS Level 2, achieving a TPWS intervention reliability of at least 99.9 percent per demand. Rationale: UK Railway Group Standard GK/RT0045 mandates AWS/TPWS at all controlled signals regardless of ETCS fitment. During the ETCS transition period non-ETCS-fitted trains rely exclusively on lineside signalling with AWS/TPWS as the final safety net against SPAD. The 99.9 percent reliability target aligns with Railway Safety Principles and Guidance Part 2 Section E. | Test | system, safety, aws-tpws, validation, session-313 |
| SYS-REQS-FUNC-010 | When the Computer-Based Interlocking or Radio Block Centre is wholly unavailable, the Railway Signalling System SHALL support a controlled transition to degraded operating mode within 60 seconds, providing the signaller with explicit degraded-mode status indication, and SHALL maintain a minimum safe capacity of 4 trains per hour per single line using verbal authorisation procedures with signaller-controlled release of individual signal sections. Rationale: Total CBI or RBC failure, while rare with design target MTBF greater than 50000 hours, must be planned for because it leaves trains without movement authority or signal protection. UK Rule Book Module TW1 defines degraded operating procedures including pilotman working and verbal authorisation that require the signalling system to release control of track sections individually. The 60-second transition time prevents trains approaching signals at danger without updated information. The 4 trains per hour floor is the minimum operational capacity that avoids route-wide cancellation during peak hours, derived from Network Rail operational resilience standards. | Demonstration | system, safety, degraded-mode, validation, session-313 |
| SYS-REQS-FUNC-011 | When the Computer-Based Interlocking or Radio Block Centre is wholly unavailable, the Railway Signalling System SHALL support a controlled transition to degraded operating mode within 60 seconds, providing the signaller with explicit degraded-mode status indication, and SHALL maintain a minimum safe capacity of 4 trains per hour per single line using verbal authorisation procedures with signaller-controlled release of individual signal sections. Rationale: Total CBI or RBC failure must be planned for because it leaves trains without movement authority. UK Rule Book Module TW1 defines degraded operating procedures including pilotman working and verbal authorisation. The 60-second transition time prevents trains approaching signals at danger without updated information. The 4 trains per hour floor avoids route-wide cancellation during peak hours per Network Rail operational resilience standards. | Demonstration | system, safety, degraded-mode, validation, session-313 |
| SYS-REQS-FUNC-012 | The Railway Signalling System SHALL record all safety-critical state changes, operator commands, alarm events, and equipment status transitions across all subsystems with UTC timestamps at 1 millisecond resolution, retaining records for a minimum of 6 months on tamper-evident storage accessible to RAIB investigators within 4 hours of a request. Rationale: RAIB investigations require comprehensive event timelines across all signalling subsystems, not just ETCS. CBI interlocking decisions, point movements, track circuit occupancies, signal aspect changes, and operator actions must all be correlated during incident investigation. The 6-month retention aligns with Railways Accident Investigation and Reporting Regulations 2005. The 4-hour accessibility requirement reflects RAIB standard evidence preservation protocols. | Test | system, safety, recording, validation, session-313 |
| SYS-REQS-FUNC-013 | The Railway Signalling System SHALL manage temporary speed restrictions by enforcing reduced approach aspects at signals governing approach to the restricted section, transmitting speed restriction data to the ETCS Radio Block Centre for inclusion in movement authorities, and providing the signaller with TSR status display showing location, speed limit, and remaining duration for all active restrictions within the control area. Rationale: Temporary speed restrictions are imposed daily across the UK network for track maintenance and infrastructure condition. TSRs must propagate to both lineside signals via reduced approach aspects per Railway Group Standard RT/E/S/11201 and ETCS movement authorities via SUBSET-026 speed profile to protect both fitted and non-fitted trains. Without integrated TSR management, speed restrictions require manual signaller intervention for every affected train, increasing workload and error risk. | Test | system, operations, tsr, validation, session-313 |
| SYS-REQS-PERF-002 | The Railway Signalling System SHALL update signal aspects within 500 milliseconds of the interlocking determining that a route is set and locked, measured from interlocking output command to confirmed signal display change. Rationale: Derives from the 2-minute headway requirement. Signal aspect update latency directly affects following-train braking distance calculations and thus minimum headway. At 500ms, the delay contribution to headway is negligible (<50m at 200km/h). At >2s, headway calculations must add a full signal section, potentially increasing minimum headway beyond the 2-minute target. | Test | rt-mechanical-trace, red-team-session-522 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQS-FUNC-001 | The Vital Processing Unit SHALL implement 2-out-of-3 voted processing architecture where three independent channels execute identical interlocking logic, and any output command SHALL only be issued when at least two channels agree within a comparison window of 10ms. Rationale: 2oo3 architecture is required to achieve SIL 4 tolerable hazard rate of 10^-9/hr per EN 50129. A single-channel failure must not produce an unsafe output. The 10ms comparison window bounds the maximum skew between channels while accommodating clock jitter in the cyclic kernel. | Test | subsystem, cbi, vpu, session-300, idempotency:sub-cbi-vpu-voting-300 |
| SUB-REQS-FUNC-002 | The Computer-Based Interlocking SHALL enforce route-locking such that once a route is set, all points within the route are locked in the required position and all conflicting routes are excluded until the route is released by sequential track clearance or manual cancellation with a 120-second time delay. Rationale: Route-locking with conflict exclusion is the fundamental safety function of an interlocking per GK/RT0060. The 120-second cancellation delay prevents premature release while a train may still be approaching the route entrance signal, derived from worst-case braking distance at line speed. | Test | subsystem, cbi, vpu, session-300, idempotency:sub-cbi-route-locking-300 |
| SUB-REQS-FUNC-003 | The Computer-Based Interlocking SHALL set and lock flank protection points for every set route, ensuring that no vehicle from a converging path can enter the route corridor. Where physical flank protection is not available, the interlocking SHALL detect the absence and restrict line speed accordingly. Rationale: Flank protection prevents side collisions at junctions. EN 50129 and national rules (e.g., RSSB GK/RT0060) require flank protection as a mandatory safety function. The fallback to speed restriction addresses layouts where geometry prevents full flank protection. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-004 | The Computer-Based Interlocking SHALL maintain overlap track sections beyond each stop signal in a locked and unoccupied state for the duration that a route to that signal is set, releasing the overlap only after the approaching train has been proved stationary or has passed the signal. Rationale: Overlaps provide a safety margin for trains overrunning a stop signal. The overlap length and release conditions are derived from braking curves at the approach speed. Premature overlap release would remove the collision protection margin. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-005 | The Object Controller SHALL drive field equipment outputs only upon receipt of an authenticated, sequence-numbered command from the Vital Processing Unit, and SHALL confirm execution by reading back the actual field state within 200ms of command issue. Rationale: Authenticated commands prevent spoofing per EN 50159 Category 3. Read-back verification within 200ms ensures the interlocking detects stuck or failed field equipment within one safety cycle, preventing the assumption of a safe state that does not exist physically. | Test | subsystem, cbi, object-controller, session-300, idempotency:sub-cbi-oc-drive-300 |
| SUB-REQS-FUNC-006 | The Vital Processing Unit SHALL verify the integrity of Interlocking Application Data at startup using a cryptographic hash (SHA-256 minimum) and SHALL refuse to enter operational mode if the computed hash does not match the validated reference hash. Rationale: Corrupted application data could encode incorrect route tables, leading to conflicting routes being permitted. Cryptographic verification at startup per EN 50128 ensures only the independently validated dataset is executed. SHA-256 provides collision resistance sufficient for SIL 4. | Test | subsystem, cbi, application-data, session-300, idempotency:sub-cbi-data-integrity-300 |
| SUB-REQS-FUNC-007 | The Interlocking Communication Gateway SHALL implement EN 50159 Category 3 safety communication on all vital links, providing cryptographic message authentication, sequence numbering, and timeout supervision with a maximum message lifetime of 500ms. Rationale: Category 3 communication defences protect against message corruption, delay, insertion, and replay attacks on open transmission networks. The 500ms lifetime bounds the maximum age of any accepted vital message, derived from the interlocking cycle time and worst-case network latency. | Test | subsystem, cbi, comm-gateway, session-300, idempotency:sub-cbi-cgw-safety-300 |
| SUB-REQS-FUNC-008 | When one of the three VPU processing channels fails, the Computer-Based Interlocking SHALL continue operating in 2-out-of-2 degraded mode, maintaining full route-setting and signal control functionality with no reduction in the number of routes available, and SHALL raise a maintenance alarm within 1 second of detecting the channel failure. Rationale: Loss of one channel in a 2oo3 architecture reduces to 2oo2, which still achieves SIL 4 but with reduced availability (next failure causes shutdown). Immediate alarm ensures maintenance response before a second failure. Full functionality retention is required because train services cannot be degraded for a single channel loss. | Test | subsystem, cbi, vpu, session-300, idempotency:sub-cbi-degraded-mode-300 |
| SUB-REQS-FUNC-009 | The Engineering and Maintenance Terminal SHALL enforce role-based access control with a minimum of three roles (viewer, maintainer, engineer), and SHALL log every user action with timestamp, operator identity, and action description to a tamper-evident audit log retained for a minimum of 5 years. Rationale: Role-based access prevents unauthorised modification of safety-critical interlocking data. The 5-year audit retention aligns with RSSB and ORR requirements for safety record keeping. Tamper-evident logging enables incident investigation and regulatory audit. | Inspection | subsystem, cbi, emt, session-300, idempotency:sub-cbi-emt-access-300 |
| SUB-REQS-FUNC-013 | The Audio-Frequency Track Circuit SHALL detect any rail vehicle presenting a minimum shunting resistance of 0.06 ohm across the running rails, within 1 second of the vehicle entering the track section. Rationale: 0.06 ohm is the EN 50238 worst-case shunting resistance for lightweight vehicles with cast-iron brake blocks on contaminated rail. Detection within 1 second ensures the interlocking receives occupancy before a train travelling at maximum line speed (200 km/h) covers more than 56m, maintaining safe overlap margins. | Test | subsystem, train-detection, aftc, session-301, idempotency:sub-td-aftc-sensitivity-301 |
| SUB-REQS-FUNC-014 | When the Audio-Frequency Track Circuit receiver signal level falls below the calibrated threshold, the track circuit SHALL report the section as occupied within 500 milliseconds. Rationale: Fail-safe design principle: any loss of received signal (broken rail, equipment failure, power loss, cable fault) must default to the restrictive state. The 500ms threshold ensures the occupied indication reaches the interlocking before the next processing cycle completes, preventing a transient clear indication during failure. | Test | subsystem, train-detection, aftc, safety, session-301, idempotency:sub-td-aftc-failsafe-301 |
| SUB-REQS-FUNC-015 | The Axle Counter Evaluator SHALL correctly count all axle passages at speeds from 0 to 500 km/h for wheel diameters between 330 mm and 1000 mm, with a per-counting-point miscount probability of less than 10^-9 per axle passage. Rationale: The speed and wheel diameter range covers all European rolling stock from shunting locomotives to high-speed trains. The 10^-9 miscount probability is derived from the SIL 4 target (tolerable hazard rate 10^-9/h) combined with expected traffic density of approximately 1 axle passage per second at busy junctions, ensuring the axle counter contribution to dangerous failure rate remains below the SIL 4 allocation. | Test | subsystem, train-detection, axle-counter, safety, session-301, idempotency:sub-td-ace-accuracy-301 |
| SUB-REQS-FUNC-016 | When the Axle Counter Evaluator detects a discrepancy between entry and exit axle counts that persists for more than 2 processing cycles (200 ms), the evaluator SHALL set the affected section to occupied and generate a reset-required alarm. Rationale: A count discrepancy indicates either a missed axle or a spurious count — both are safety-critical. Two processing cycles allows for transient electrical noise rejection without delaying the fail-safe response beyond the interlocking cycle time. Manual reset is required because automatic count correction could mask a genuine vehicle presence. | Test | subsystem, train-detection, axle-counter, safety, session-301, idempotency:sub-td-ace-failsafe-301 |
| SUB-REQS-FUNC-017 | The Train Detection Data Concentrator SHALL aggregate occupancy status from all connected detectors and present a complete, consistent occupancy table to the CBI interface within 100 milliseconds of any detector state change. Rationale: 100ms aggregation latency ensures the total detection-to-interlocking pipeline (detector response + concentrator + CBI input scan) remains within the 500ms signal update budget defined in SYS-REQS-PERF-002. The concentrator consumes approximately 100ms of the 500ms budget, leaving margin for detector response time (up to 200ms for track circuits) and CBI input scanning (up to 100ms). | Test | subsystem, train-detection, data-concentrator, performance, session-301, idempotency:sub-td-tddc-latency-301 |
| SUB-REQS-FUNC-018 | When the active Train Detection Data Concentrator unit fails, the hot-standby unit SHALL assume data aggregation within 50 milliseconds, without loss of occupancy state for any monitored section. Rationale: 50ms switchover ensures the redundancy transition is invisible to the CBI, which polls the concentrator at 100ms intervals. State synchronisation between active and standby units must be continuous so that no section shows a transient clear during switchover — a momentary false-clear could allow the interlocking to release a route into an occupied section. | Test | subsystem, train-detection, data-concentrator, reliability, session-301, idempotency:sub-td-tddc-redundancy-301 |
| SUB-REQS-FUNC-019 | The Train Detection Data Concentrator SHALL continuously monitor the health of all connected track circuits and axle counter evaluators, detecting communication loss within 2 seconds and rail insulation degradation when track circuit received signal strength drops below 70 percent of calibrated nominal. Rationale: 2-second communication loss detection provides timely fault reporting without false alarms from transient interference. The 70% insulation threshold is the industry-standard early warning level: below 70% of nominal, track circuit performance becomes marginal and shunting sensitivity degrades, requiring maintenance intervention before a missed detection could occur. | Test | subsystem, train-detection, data-concentrator, diagnostic, session-301, idempotency:sub-td-tddc-diagnostic-301 |
| SUB-REQS-FUNC-020 | The RBC Application Server SHALL compute a complete movement authority, including end-of-authority, speed profile, and gradient profile, within 800 milliseconds of receiving updated route and occupancy data from the RBC-CBI Interface Gateway. Rationale: The 2-second system-level MA transmission budget (SYS-REQS-FUNC-005) must be allocated across the processing chain: 100ms CBI-to-RBC gateway latency, 800ms MA computation, 500ms Euroradio safe messaging, 200ms GSM-R radio delivery, leaving 400ms margin for retransmission. The 800ms computation budget was derived from SUBSET-026 Appendix A timing analysis for a 60-train load with worst-case route complexity. | Test | subsystem, etcs-rbc, session-302, idempotency:sub-rbc-app-ma-compute-302 |
| SUB-REQS-FUNC-021 | The RBC Application Server SHALL maintain simultaneous ETCS supervision sessions for a minimum of 60 trains, each receiving movement authority updates at intervals not exceeding 5 seconds under normal operation. Rationale: 60 concurrent trains represents the capacity of a major junction area RBC (e.g., Thameslink core through central London). The 5-second MA update interval matches the SUBSET-026 T_MAR (MA request timer) default value. Exceeding this interval triggers onboard emergency braking initiation via T_NVCONTACT. | Test | rt-missing-failure-mode, red-team-session-522 |
| SUB-REQS-FUNC-022 | The RBC Application Server SHALL operate in a 2-out-of-2 hot-standby configuration where the standby unit SHALL assume full MA computation within 3 seconds of detecting primary unit failure, without loss of any active train session. Rationale: 3-second failover budget ensures no train exceeds its T_NVCONTACT timeout (typically 10-15 seconds). Hot-standby with session state replication is required because cold restart would require all 60 trains to re-establish sessions simultaneously, causing a capacity storm. The 2oo2 architecture (rather than 2oo3) follows SUBSET-026 failover model where MA computation is deterministic given identical inputs. | Test | subsystem, etcs-rbc, session-302, idempotency:sub-rbc-app-redundancy-302 |
| SUB-REQS-FUNC-023 | The Euroradio Safe Communication Layer SHALL authenticate and integrity-protect all messages between the RBC and onboard ETCS equipment using SUBSET-037 message authentication codes with a residual error rate not exceeding 2^-40 per message. Rationale: The 2^-40 residual error rate is mandated by SUBSET-037 for SIL 4 communications. This ensures that the probability of an undetected corrupted movement authority being accepted by the onboard equipment is below the tolerable hazard rate of 10^-9 per hour, given the expected message rate of approximately 10,000 messages per hour across all train sessions. | Test | rt-missing-failure-mode, red-team-session-522 |
| SUB-REQS-FUNC-024 | When the Euroradio Safe Communication Layer detects loss of communication with an onboard unit for a duration exceeding the configured T_NVCONTACT value, the layer SHALL notify the RBC Application Server to revoke the affected train movement authority and log the disconnection event. Rationale: T_NVCONTACT is the ERTMS timeout that triggers onboard emergency braking if no valid safe message is received. The RBC side must mirror this detection to revoke the MA and prevent the track section from being allocated to another train while the disconnected train may still be occupying it. Without this, a phantom train scenario could develop where the RBC believes a train has stopped but it is still moving under its last valid MA. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-025 | The GSM-R Radio Interface Module SHALL establish a circuit-switched data call to a requesting onboard ETCS unit within 5 seconds of receiving the session initiation request, with a call setup success rate of at least 99.5% when GSM-R network signal strength is at or above -92 dBm (RXLEV 13) and cell load does not exceed 75% of traffic channel capacity. Rationale: The 5-second call setup time is derived from EIRENE FRS v8 specification for GSM-R railway data calls. 99.5% success rate accounts for the 0.5% radio congestion probability in high-traffic areas. Failed setups are retried automatically; three consecutive failures trigger a fallback to GPRS packet-switched bearer if available, or an alarm to the signaller. | Test | rt-missing-failure-mode, red-team-session-522 |
| SUB-REQS-FUNC-026 | The RBC-CBI Interface Gateway SHALL implement EN 50159 Category 3 safety communication on the link to the Computer-Based Interlocking, providing message authentication, sequence numbering, and timestamp validation with an end-to-end message transfer latency not exceeding 100 milliseconds. Rationale: 100ms gateway latency is part of the 2-second MA budget allocation. EN 50159 Category 3 is required because the RBC and CBI may be in different equipment rooms connected via a non-trusted network. The gateway must detect message replay, insertion, resequencing, and corruption — all attack vectors on a network traversing unsecured cable routes between buildings. | Test | subsystem, etcs-rbc, session-302, idempotency:sub-cbi-gw-safe-302 |
| SUB-REQS-FUNC-027 | The RBC Handover Controller SHALL complete the transfer of train supervision responsibility to an adjacent RBC within 5 seconds of the train entering the handover preparation area, including coordinated MA boundary alignment and session transfer confirmation. Rationale: 5 seconds is derived from the worst-case train speed (300 km/h on high-speed lines) and the minimum handover preparation zone length (2 km per SUBSET-026). At 300 km/h a train traverses 2 km in 24 seconds, so 5 seconds provides adequate margin for the handover protocol exchange (request, acknowledge, confirm) while leaving at least 19 seconds of supervised operation in the overlap zone. Exceeding 5 seconds at high speed risks the train entering the new RBC area without an accepted MA from the receiving RBC. | Test | rt-missing-failure-mode, red-team-session-522 |
| SUB-REQS-FUNC-028 | The Juridical Recording Unit SHALL record all movement authority computations, train position reports, session events, and emergency messages with UTC timestamps at 1 millisecond resolution, retaining data for a minimum of 90 days on redundant non-volatile storage with cryptographic tamper-evidence. Rationale: 90-day retention is mandated by EU Directive 2016/798 on railway safety for post-incident investigation. 1ms timestamp resolution is required to reconstruct the exact sequence of events during multi-train incidents where events may be separated by only tens of milliseconds. Cryptographic tamper-evidence (hash chains) ensures data admissibility in regulatory and legal proceedings. Redundant storage protects against single-disk failure during the retention period. | Inspection | subsystem, etcs-rbc, session-302, idempotency:sub-jru-retention-302 |
| SUB-REQS-FUNC-029 | When the RBC Application Server loses communication with the CBI for more than 10 seconds, the RBC SHALL freeze all current movement authorities at their last safe end-of-authority positions and SHALL NOT extend any MA until CBI communication is restored and confirmed via a full state synchronisation handshake. Rationale: Freezing MAs at their last safe positions prevents trains from receiving authority to proceed into track sections whose occupancy status is unknown. The 10-second threshold allows for transient network interruptions without premature MA freeze. Full state resynchronisation is required after restoration because the CBI may have changed route and point states during the outage, making incremental updates unsafe. | Test | subsystem, etcs-rbc, session-302, idempotency:sub-rbc-app-degraded-302 |
| SUB-REQS-FUNC-030 | When the RBC Application Server receives an unconditional emergency stop command from the CBI or signaller, the RBC SHALL transmit ETCS emergency stop messages to all affected trains within 500 milliseconds, overriding all normal MA processing. Rationale: 500ms emergency broadcast latency ensures that at 300 km/h a train travels no more than 42m before receiving the stop command. This is within the braking distance safety margin assumed by the CBI when commanding emergency route release. The override of normal processing prevents MA computation queuing from delaying safety-critical emergency messages. | Test | subsystem, etcs-rbc, session-302, idempotency:sub-rbc-app-estop-302 |
| SUB-REQS-FUNC-031 | When the Level Crossing Controller receives a train approach trigger from the CBI, the controller SHALL initiate the road warning sequence and achieve full crossing protection (barriers lowered, signals active) within the configured warning time, which SHALL be adjustable between 24 and 55 seconds to accommodate site-specific road clearance requirements. Rationale: 24-55 second range covers UK MCB-CCTV (24s minimum for short crossings) through AHB (55s for long crossings with slow-moving agricultural traffic). The warning time must be configurable per site because it depends on road width, speed limit, and expected traffic type — a narrow footpath crossing needs 24 seconds; a dual-carriageway crossing with heavy goods vehicles needs 55 seconds. | Test | subsystem, level-crossing, session-302, idempotency:sub-lc-timing-302 |
| SUB-REQS-FUNC-032 | When the Level Crossing Obstacle Detection System detects an object exceeding 0.5 metres in height on the crossing deck during barrier descent, the Level Crossing Controller SHALL inhibit further barrier descent and activate a crossing alarm, while maintaining road warning signals in the active state. Rationale: 0.5m threshold discriminates vehicles and pedestrians from debris and small animals that do not pose a collision risk. Barrier descent inhibition prevents a vehicle or person being struck by the barrier. Warning signals remain active because a train may still be approaching — the crossing is not safe for road traffic even though the barrier has stopped. | Test | subsystem, level-crossing, session-302, idempotency:sub-lc-obstacle-302 |
| SUB-REQS-FUNC-033 | The Barrier Drive Mechanism SHALL limit the torque at the barrier tip to a maximum of 150 Nm during descent to prevent injury to any person or object contacted by the barrier. Rationale: 150 Nm at the barrier tip corresponds to approximately 40 N force at a 3.75m barrier length, which is below the threshold for serious injury per EN 12604 (power-operated doors and gates). This is a critical safety requirement because barrier contact with a pedestrian is a foreseeable event, particularly at crossings with high foot traffic. | Test | subsystem, level-crossing, session-302, idempotency:sub-lc-torque-302 |
| SUB-REQS-FUNC-034 | The Road Traffic Signal Assembly SHALL achieve a minimum luminous intensity of 200 candela for each red flashing light when measured on-axis, sufficient for visibility at 100 metres in direct sunlight conditions with a solar luminance of 100,000 lux. Rationale: 200 candela at 100m in bright sunlight ensures road users can detect the warning from the UK stopping sight distance for 60 mph roads. This is the worst-case visibility scenario — signal intensity must overcome solar phantom effect where sunlight illuminates the signal optic and masks the LED indication. | Test | subsystem, level-crossing, session-302, idempotency:sub-lc-signal-intensity-302 |
| SUB-REQS-FUNC-035 | When the Level Crossing Controller detects any internal fault or loss of communication with the CBI, the controller SHALL drive the crossing to the protected state (barriers lowered, signals active) and SHALL report the fault to the CBI and diagnostic system. Rationale: Protected state on failure is the fundamental fail-safe design principle for level crossings — a spurious crossing closure causes traffic delay (a nuisance) while a spurious crossing opening causes a potential collision (a catastrophe). The asymmetry of consequence makes fail-to-protected the only acceptable failure mode. CBI notification ensures the signaller is aware and can manage train movements accordingly. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-036 | The Electro-Hydraulic Point Machine SHALL complete a full blade throw from normal to reverse or reverse to normal within 6 seconds for switch lengths up to 60m, measured from receipt of the drive command to confirmed detection in the target position. Rationale: 6-second throw time is derived from route-setting time budget: total route set time must be under 15 seconds (SYS-REQS-FUNC-001 cascade), of which interlocking processing takes 2s, signal update takes 0.5s, and up to 3 points may need to throw sequentially. 6s per point allows sequential throws with margin. Longer throw times degrade junction throughput and delay route availability. | Test | subsystem, points-drive, point-machine, session-304, idempotency:sub-points-throw-time-304 |
| SUB-REQS-FUNC-037 | The Point Position Detection Assembly SHALL confirm blade position as 'detected' only when the blade tip is within 2mm of the stock rail in the closed position, and SHALL report 'not detected' for any blade displacement exceeding 2mm from nominal. Rationale: The 2mm detection tolerance is derived from EN 13232-7 gauge maintenance requirements: a blade gap exceeding 3mm risks wheel flange entry between blade and stock rail. The 2mm detection threshold provides a 1mm safety margin below the hazardous gap dimension, accounting for detection rod mechanical play and thermal expansion of switch rails. | Test | subsystem, points-drive, detection, session-304, idempotency:sub-points-detection-tolerance-304 |
| SUB-REQS-FUNC-038 | The Point Drive Controller SHALL detect an obstruction between the switch blades within 1 second of motor current exceeding 150% of the nominal throw current profile, and SHALL immediately remove drive power and report an obstruction fault to the Object Controller. Rationale: Obstruction detection prevents mechanical damage to the point machine and track infrastructure. The 150% current threshold is based on typical electro-hydraulic machine current signatures — normal throw current varies by ±20% due to friction and temperature, so 150% provides discrimination between normal variation and a genuine obstruction. The 1-second detection window prevents prolonged force application that could damage blades or the obstruction. | Test | subsystem, points-drive, safety, session-304, idempotency:sub-points-obstruction-detect-304 |
| SUB-REQS-FUNC-039 | The Electro-Hydraulic Point Machine SHALL maintain a minimum clamping force of 8kN on the closed blade under all operating conditions, sufficient to resist dynamic forces from train wheels traversing the switch at speeds up to 300 km/h. Rationale: 8kN clamping force is derived from EN 13232-4 dynamic load analysis: a 25-tonne axle load at 300 km/h generates lateral forces up to 5kN at the blade tip due to hunting oscillation and conicity. The 8kN clamp provides a 1.6x safety factor, preventing blade creep under repeated loading that could open a flange-way gap. | Test | subsystem, points-drive, point-machine, session-304, idempotency:sub-points-clamp-force-304 |
| SUB-REQS-FUNC-040 | When power supply to the Point Position Detection Assembly is lost, the detection output SHALL default to 'not detected' within 100ms, preventing the interlocking from setting any route over the affected points. Rationale: Fail-safe detection default is a SIL 4 requirement per EN 50129: loss of detection information must be treated as a dangerous condition. The 100ms timeout ensures the interlocking detects power failure before the next processing cycle (250ms typical) and revokes any route requiring these points. Longer timeout risks a route being set over unproven points during the detection gap. | Test | subsystem, points-drive, detection, safety, session-304, idempotency:sub-points-failsafe-detect-304 |
| SUB-REQS-FUNC-041 | The Swing-Nose Crossing Actuator SHALL position the crossing nose tip within 0.5mm of the stock rail, and the Point Position Detection Assembly SHALL confirm nose alignment only when this tolerance is met. Rationale: 0.5mm tolerance for swing-nose crossings is mandated by high-speed turnout standards (EN 13232-7 Annex C): at speeds above 200 km/h, a gap exceeding 1mm at the nose creates unacceptable dynamic loads on wheel flanges and risks wheel climb. The 0.5mm tolerance provides a 2x margin against the hazardous 1mm threshold, accounting for thermal expansion and mechanical wear. | Test | subsystem, points-drive, swing-nose, session-304, idempotency:sub-points-swingnose-align-304 |
| SUB-REQS-FUNC-042 | The Point Heating System SHALL activate pre-emptive heating when ambient temperature falls below 3 degrees Celsius and relative humidity exceeds 80%, and SHALL activate full-power reactive heating when precipitation is detected at temperatures below 1 degree Celsius. Rationale: Heating activation thresholds are derived from meteorological analysis of ice formation conditions: ice accretion on switch rails begins at the intersection of sub-3C temperatures and >80% humidity. The 1C precipitation threshold accounts for supercooled rain (freezing rain occurs at 0-2C). Pre-emptive mode prevents ice formation; reactive mode melts accumulation. Without these thresholds, blade freezing can prevent point operation within 15-30 minutes of onset. | Test | subsystem, points-drive, heating, session-304, idempotency:sub-points-heating-activation-304 |
| SUB-REQS-FUNC-043 | The Safety-Critical Data Network Switch SHALL implement Parallel Redundancy Protocol per IEC 62439-3 on all vital communication paths, achieving zero-recovery-time failover with no frame loss during a single link or switch failure. Rationale: PRP is mandated because the interlocking cycle time of 500ms and ETCS MA computation of 2s leave no margin for network recovery. Any frame loss during failover could delay safety-critical commands beyond their integrity time windows, potentially leading to unsafe signal aspects or late movement authority updates. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-prp-redundancy-305 |
| SUB-REQS-FUNC-044 | The Signalling Communication Network SHALL deliver any vital message between the Computer-Based Interlocking and any connected subsystem endpoint within 50 milliseconds end-to-end latency under maximum traffic load, measured from source application buffer to destination application buffer. Rationale: The 50ms budget is derived from the 500ms signal aspect update requirement (SYS-REQS-PERF-002), allocating 10 percent of the total budget to network transport to leave 450ms for interlocking processing, output drive, and signal lamp confirmation. Exceeding this would cascade timing violations through the safety chain. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-latency-305 |
| SUB-REQS-FUNC-045 | The RaSTA Protocol Stack SHALL authenticate and integrity-protect all vital messages using EN 50159 Category 3 mechanisms with a residual error rate not exceeding 10^-9 per hour, detecting message corruption, replay, insertion, deletion, resequencing, and delay within the configured safety time interval Tmax. Rationale: EN 50159 Category 3 is required because the signalling network traverses open transmission media where all threat classes apply. The 10^-9 per hour residual error rate derives from SIL4 tolerable hazard rate apportionment across the communication channel, ensuring the network does not dominate the system hazard budget. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-rasta-safety-305 |
| SUB-REQS-FUNC-046 | The Network Time Distribution Server SHALL synchronize all network endpoints to UTC with an accuracy of 1 microsecond or better under normal GNSS reception, and SHALL maintain holdover accuracy within 10 microseconds for at least 24 hours following complete GNSS signal loss. Rationale: Sub-microsecond accuracy is required by the Juridical Recording Unit to establish unambiguous event ordering across distributed subsystems during incident investigation. The 24-hour holdover requirement covers the worst-case GNSS outage scenario without requiring manual intervention, using rubidium oscillator stability characteristics. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-ptp-accuracy-305 |
| SUB-REQS-FUNC-047 | The Cybersecurity Boundary Gateway SHALL enforce TS 50701 zone separation between the safety-critical signalling network and all non-vital networks, permitting only allowlisted protocol and message type combinations to traverse the boundary, and SHALL log all blocked traffic attempts for a minimum retention period of 180 days. Rationale: TS 50701 zone separation prevents lateral movement from compromised non-vital systems into the safety domain. Allowlisting rather than denylisting ensures unknown protocols are blocked by default. The 180-day log retention supports forensic analysis of security incidents aligned with railway operator CSIRT requirements. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-cybersec-305 |
| SUB-REQS-FUNC-048 | The Lineside Transmission Multiplexer SHALL achieve link availability of 99.999 percent per fiber trunk route, with automatic protection switching completing within 50 milliseconds of detecting a fiber path failure. Rationale: 99.999 percent availability equates to less than 5.3 minutes downtime per year, derived from the system-level availability target for continuous signalling operation. The 50ms protection switching time ensures the outage falls within the RaSTA Tmax window, preventing safety timeout activation during fiber cuts. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-lineside-avail-305 |
| SUB-REQS-FUNC-049 | The Network Diagnostic and Monitoring Agent SHALL detect and alarm any network link degradation where packet loss exceeds 0.001 percent or one-way latency exceeds 1 millisecond within 30 seconds of threshold exceedance, and SHALL forward consolidated health data to the Signalling Diagnostic and Monitoring System. Rationale: Early detection of link degradation allows preventive maintenance before safety-critical communication is affected. The 0.001 percent packet loss threshold is set one order of magnitude below the level that would trigger RaSTA retransmissions, providing advance warning. The 30-second detection time balances responsiveness against false alarm rates. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-monitoring-305 |
| SUB-REQS-FUNC-050 | When one of the two PRP redundant network paths is lost, the Safety-Critical Data Network Switch SHALL continue to deliver all vital messages via the remaining path with no increase in end-to-end latency beyond 5 milliseconds above nominal, and the Network Diagnostic and Monitoring Agent SHALL raise a degraded-mode alarm within 10 seconds. Rationale: Single-path operation is the designed degraded mode for PRP networks. The 5ms latency increase limit ensures the 50ms network latency budget is not exceeded. The 10-second alarm threshold ensures maintenance is alerted before a second failure could cause total communication loss. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-degraded-305 |
| SUB-REQS-FUNC-051 | The LED Signal Module SHALL produce a minimum luminous intensity of 200 candela for red aspects, 200 candela for yellow aspects, and 300 candela for green aspects, measured on-axis at the design beam centre, across the full operating temperature range of -25°C to +70°C. Rationale: Derived from Railway Group Standard GK/RT0045 visibility requirements. Green requires higher intensity because it must be distinguished from surrounding ambient light at maximum sighting distance. Values ensure reliable aspect recognition at 1000m sighting distance in clear conditions. Below these thresholds, aspect misidentification risk increases — particularly yellow/green confusion in low sun conditions. | Test | subsystem, colour-light, led-module, session-306, idempotency:sub-colour-light-led-intensity-306 |
| SUB-REQS-FUNC-052 | The LED Signal Module SHALL maintain minimum luminous intensity with up to 30% of LED strings failed, measured as aggregate output remaining above 70% of nominal intensity per Railway Group Standard. Rationale: LED modules use redundant parallel strings so that individual LED failures do not immediately extinguish an aspect. The 30% threshold is derived from field reliability data on LED signal modules: at this failure level the signal remains visible but maintenance must be scheduled. Beyond 30% string loss, the Signal Proving Unit detects the degradation and triggers appropriate alarms or failsafe action. | Test | subsystem, colour-light, led-module, session-306, idempotency:sub-colour-light-led-degradation-306 |
| SUB-REQS-FUNC-053 | When a proceed-aspect LED Signal Module fails or degrades below 70% luminous output, the Signal Proving and Monitoring Unit SHALL force the signal to display its most restrictive aspect (red) via hardware failsafe relay within 500 milliseconds of failure detection. Rationale: This is the primary safety function of the colour-light output subsystem (SIL4). A failed proceed aspect (green/yellow) that remains lit or appears lit when it is not creates a collision hazard. The 500ms detection-to-failsafe window ensures that no train receives a false proceed authority for more than one signal update cycle. Hardware relay implementation ensures the failsafe path is independent of software faults in the Signal Aspect Driver. | Test | subsystem, colour-light, signal-proving, safety, session-306, idempotency:sub-colour-light-proving-failsafe-306 |
| SUB-REQS-FUNC-054 | The Signal Aspect Driver SHALL enforce aspect sequencing rules such that a 4-aspect signal transitions through yellow before displaying red from a green or double-yellow aspect, with each intermediate aspect displayed for a minimum of 3 seconds. Rationale: Aspect sequencing prevents abrupt green-to-red transitions that could confuse drivers. The 3-second minimum for intermediate aspects derives from driver reaction time studies: a driver approaching at line speed needs at least 2 seconds to register an aspect change, and 1 second of margin accounts for attention latency. Sequencing is enforced at the driver board level as a second layer of defence independent of the interlocking logic. | Test | subsystem, colour-light, signal-aspect-driver, session-306, idempotency:sub-colour-light-sequencing-306 |
| SUB-REQS-FUNC-055 | When the Signal Aspect Driver loses its command input from the Object Controller or loses supply power, it SHALL default to displaying the most restrictive aspect (red) via a de-energised failsafe relay within 200 milliseconds. Rationale: Failsafe default to danger on loss of command or power is a fundamental principle of railway signalling safety (EN 50129). The de-energised relay design means the safe state requires no power — the relay physically drops to the danger-only path. 200ms ensures the transition occurs before a driver at maximum line speed (200 km/h) could traverse more than 11m, insufficient to pass the signal. | Test | subsystem, colour-light, signal-aspect-driver, safety, session-306, idempotency:sub-colour-light-failsafe-default-306 |
| SUB-REQS-FUNC-056 | The Signal Proving and Monitoring Unit SHALL implement a 2-out-of-2 (2oo2) comparison architecture for lamp failure detection, such that both independent monitoring channels must agree on lamp status before reporting healthy, and disagreement between channels SHALL trigger the failsafe relay. Rationale: A 2oo2 architecture achieves SIL4 dangerous failure rate targets by requiring agreement between two independent monitoring paths. A single channel failure (stuck-at-healthy) cannot mask a lamp failure because the second channel will disagree and trigger failsafe. This is the standard EN 50129 pattern for vital detection functions where false-healthy is the dangerous failure mode. | Analysis | subsystem, colour-light, signal-proving, safety, session-306, idempotency:sub-colour-light-proving-2oo2-306 |
| SUB-REQS-FUNC-057 | The Multi-Aspect Signal Head SHALL maintain aspect visibility at a minimum sighting distance of 1000 metres in clear daylight conditions, and 200 metres in fog conditions with visibility reduced to 200 metres, with anti-phantom hoods preventing false aspect display from direct sunlight. Rationale: Sighting distances are derived from braking distance calculations: at 200 km/h a train requires approximately 2000m to stop, so the signal must be visible at least 1000m ahead to provide warning time with two 4-aspect signals in sequence. Anti-phantom hoods are essential because sunlight entering the signal head can illuminate unlit aspects, potentially displaying a false proceed indication — this is a known hazard in UK operations with specific RAIB investigation precedents. | Test | subsystem, colour-light, signal-head, session-306, idempotency:sub-colour-light-head-visibility-306 |
| SUB-REQS-FUNC-058 | The Junction Route Indicator SHALL illuminate the correct route indication within 500 milliseconds of the interlocking confirming the route is set and locked, and SHALL extinguish within 200 milliseconds of the main aspect reverting to danger. Rationale: The 500ms illumination time matches SYS-REQS-PERF-002 signal aspect update requirement, ensuring route indication appears simultaneously with the proceed aspect. The faster 200ms extinguish time is required because an illuminated route indicator with a red aspect could mislead a driver into expecting a route that is being released — the indicator must go dark before or simultaneously with the aspect change to danger. | Test | subsystem, colour-light, junction-indicator, session-306, idempotency:sub-colour-light-jri-timing-306 |
| SUB-REQS-FUNC-059 | The Junction Route Indicator SHALL only illuminate when the associated main signal displays a proceed aspect (green, yellow, or double yellow), and SHALL remain extinguished whenever the signal displays a danger aspect (red), enforced by hardware interlock independent of the route data path. Rationale: A junction indicator lit alongside a red signal is a hazardous misleading indication — the driver might infer a route is set and proceed past the danger signal. The hardware interlock ensures this correlation is maintained even if the software route data path fails. This is a SIL4 requirement because incorrect correlation is a direct collision hazard at junctions. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-060 | The Signal Proving and Monitoring Unit SHALL report lamp status, degradation percentage, and failure mode classification to the Signalling Diagnostic and Monitoring System at intervals not exceeding 10 seconds via serial diagnostic interface. Rationale: 10-second reporting interval balances diagnostic data freshness against serial link bandwidth shared across multiple signal heads on a single communication link. The degradation percentage enables predictive maintenance scheduling — maintenance teams can plan lamp module replacement before the 70% threshold triggers a failsafe, reducing service disruption. Failure mode classification (open circuit, short circuit, partial degradation) supports root-cause analysis and spares planning. | Test | subsystem, colour-light, signal-proving, diagnostic, session-306, idempotency:sub-colour-light-proving-diagnostic-306 |
| SUB-REQS-FUNC-061 | The Signalling Uninterruptible Power Supply SHALL maintain conditioned 110V AC output to all vital signalling loads for a minimum of 2 hours following complete loss of mains supply, at full rated load. Rationale: 2-hour backup ensures signalling remains operational during typical UK distribution network restoration times (average 90 minutes for planned outages). Below 2 hours, signallers may be forced into degraded manual procedures during extended mains faults, increasing risk of wrong-side failures. | Test | subsystem, power-supply, session-308, idempotency:sub-ups-backup-duration-308 |
| SUB-REQS-FUNC-062 | The Signalling Uninterruptible Power Supply SHALL produce a sinusoidal output waveform with total harmonic distortion not exceeding 3 percent under all load conditions from 25 to 100 percent of rated capacity. Rationale: Audio-frequency track circuits operating at 83Hz and 91.5Hz are sensitive to harmonic content in their power supply. THD above 3 percent introduces spurious frequency components that can cause false track circuit occupancy or clear indications, both of which are safety-critical failures. | Test | subsystem, power-supply, session-308, idempotency:sub-ups-thd-308 |
| SUB-REQS-FUNC-063 | The Signalling Power Distribution Panel SHALL provide galvanically separated bus bars for vital signalling loads and non-vital loads, such that a fault on any non-vital circuit SHALL NOT cause loss of supply to any vital circuit. Rationale: Non-vital loads (building services, workstation displays, HVAC) share the same mains intake but must not be able to trip protection devices on vital circuits. A short circuit on a display monitor cable must not de-energise the interlocking power supply. Galvanic separation at the bus bar level is the standard mitigation. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-064 | The Track Circuit Power Feed Unit SHALL maintain output frequency stability within 0.1 percent of the nominal audio frequency under all load and temperature conditions. Rationale: Adjacent track circuits operate at different audio frequencies (e.g. 83Hz and 91.5Hz) to prevent cross-talk. Frequency drift beyond 0.1 percent narrows the guard band between adjacent circuits and can cause false occupancy indications in neighbouring track sections. | Test | subsystem, power-supply, session-308, idempotency:sub-tcpf-freq-stability-308 |
| SUB-REQS-FUNC-065 | The Signalling Power Feeder SHALL accept dual independent incoming mains supplies and SHALL automatically select the healthy supply within 100 milliseconds of detecting loss or out-of-tolerance voltage on the primary supply. Rationale: Dual incoming supplies from different grid feeders provide first-level redundancy before the UPS. The 100ms switchover time is within the UPS input hold-up period, ensuring the UPS battery is not discharged during routine supply changeovers. | Test | subsystem, power-supply, session-308, idempotency:sub-spf-dual-supply-308 |
| SUB-REQS-FUNC-066 | When operating on battery backup, the Power Supply Monitoring and Switchover Controller SHALL shed non-vital loads within 5 seconds of mains loss confirmation to extend vital supply runtime to a minimum of 3.5 hours. Rationale: Non-vital loads (HVAC, workstation displays, non-safety lighting) consume approximately 40 percent of the total signalling installation power budget. Shedding these loads within 5 seconds preserves battery capacity for vital functions. The 3.5-hour target exceeds the 2-hour vital-only requirement by providing margin for extended outages. | Test | subsystem, power-supply, session-308, idempotency:sub-mon-loadshed-308 |
| SUB-REQS-FUNC-067 | The Signalling Uninterruptible Power Supply SHALL monitor individual cell voltage and temperature of the VRLA battery bank and SHALL generate an alarm when any cell deviates by more than 0.3V from the bank average or exceeds 45 degrees Celsius. Rationale: Individual cell failure is the primary cause of UPS battery bank degradation. A single failed cell can reduce backup runtime by 50 percent or more without warning if not individually monitored. The 0.3V threshold and 45C limit are derived from VRLA manufacturer thermal runaway prevention guidance. | Test | subsystem, power-supply, session-308, idempotency:sub-ups-cell-monitor-308 |
| SUB-REQS-FUNC-068 | The Alarm Management Processor SHALL apply alarm rationalisation rules compliant with EEMUA 191 guidelines, reducing alarm rate to no more than 10 alarms per 10 minutes per operator position during normal operations and no more than 20 alarms per 10 minutes during upset conditions. Rationale: EEMUA 191 defines industry-standard alarm rates. Exceeding 10 alarms per 10 minutes leads to operator overload and missed critical alarms. During cascade failures, unrationalised systems can generate hundreds of alarms per minute, masking the root cause. | Test | subsystem, diagnostic-monitoring, session-308, idempotency:sub-amp-rationalisation-308 |
| SUB-REQS-FUNC-069 | The Event Logger and Replay Unit SHALL retain all signalling state change events, operator commands, and alarm events for a minimum of 90 days on dual-redundant non-volatile storage with tamper-evident integrity verification. Rationale: Network Rail standard NR/L2/SIGP/10201 requires minimum 90-day event retention for post-incident analysis. Dual-redundant storage prevents data loss from single disk failure. Tamper-evident storage ensures event records are admissible as evidence in RAIB investigations. | Inspection | subsystem, diagnostic-monitoring, session-308, idempotency:sub-elr-retention-308 |
| SUB-REQS-FUNC-070 | The Condition Monitoring Server SHALL aggregate health data from all signalling subsystems with a data collection latency not exceeding 30 seconds from field equipment state change to server database record. Rationale: 30-second aggregation latency provides near-real-time maintenance visibility while allowing time for data transport across multi-protocol collection (Modbus, SNMP, OPC UA). Tighter latency would require dedicated real-time links that are unnecessary for maintenance trend analysis. | Test | subsystem, diagnostic-monitoring, session-308, idempotency:sub-cms-aggregation-308 |
| SUB-REQS-FUNC-071 | The Remote Diagnostic Gateway SHALL enforce read-only access to diagnostic data for all remote sessions and SHALL NOT provide any control path to safety-critical signalling equipment. Rationale: Any remote control path to signalling equipment creates a cybersecurity attack surface that could be exploited to issue unsafe commands. Read-only enforcement eliminates this risk class entirely. Compliant with NR/L2/CYB/27009 requirement for network segmentation between diagnostic and vital domains. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-072 | The Event Logger and Replay Unit SHALL timestamp all recorded events with accuracy of 1 millisecond or better, synchronised to GPS time reference. Rationale: 1ms timestamp accuracy is required to establish causal ordering of events during post-incident analysis. GPS synchronisation ensures timestamps are absolute and correlatable with train-borne event records and other infrastructure logs. | Test | subsystem, diagnostic-monitoring, session-308, idempotency:sub-elr-timestamp-308 |
| SUB-REQS-FUNC-073 | The Track Diagram Display Processor SHALL render updated track occupation, signal aspect, point position, and route status indications within 500ms of receiving state change data from the Computer-Based Interlocking. Rationale: 500ms display latency ensures signaller sees current system state within one interlocking cycle. Longer delays risk the signaller issuing commands based on stale information, particularly during rapid route-setting sequences where multiple points and signals change within seconds. | Test | subsystem, signaller-workstation, session-309, idempotency:sub-sw-display-latency-309 |
| SUB-REQS-FUNC-074 | The Track Diagram Display Processor SHALL render a geographical schematic containing at least 500 simultaneously displayed objects (track sections, signals, points, level crossings) without exceeding 500ms refresh cycle. Rationale: 500 objects represents the upper bound for a large UK power signal box area (e.g., major junction with approaches). If the rendering pipeline cannot maintain frame rate at this object count, display lag during peak traffic periods would degrade situational awareness. | Test | subsystem, signaller-workstation, session-309, idempotency:sub-sw-display-capacity-309 |
| SUB-REQS-FUNC-075 | The Route Setting and Command Interface SHALL require a two-stage confirmation sequence (signal selection followed by route exit selection) for all route-setting commands, and SHALL transmit the command to the CBI only after the signaller confirms the complete route on a confirmation dialog. Rationale: Two-stage confirmation prevents accidental route setting from single erroneous clicks. This is a fundamental safety mechanism required by Railway Group Standard GK/RT0045 for signaller HMI design. Without confirmation, a mistaken click on a signal icon could set a conflicting route. | Demonstration | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-076 | The Route Setting and Command Interface SHALL acknowledge operator input within 200ms of the operator action, providing visual feedback (highlight, cursor change, or confirmation dialog) on the track diagram display. Rationale: 200ms is the human perception threshold for interactive responsiveness. Exceeding this creates uncertainty about whether the input was registered, leading to repeated clicks and potential double-commands. Derived from ISO 9241-305 HMI response time guidance. | Test | subsystem, signaller-workstation, performance, session-309, idempotency:sub-sw-input-response-309 |
| SUB-REQS-FUNC-077 | The Route Setting and Command Interface SHALL generate a timestamped audit record for every operator action (route setting, signal replacement, emergency control, alarm acknowledgement) with operator identity, action type, target object, and UTC timestamp accurate to 100ms. Rationale: Juridical recording of signaller actions is mandated by Railway Group Standard GE/RT8270 for post-incident investigation. 100ms timestamp accuracy enables correlation with interlocking event logs and train detection records during timeline reconstruction. | Test | subsystem, signaller-workstation, session-309, idempotency:sub-sw-audit-trail-309 |
| SUB-REQS-FUNC-078 | The Alarm Display and Management Panel SHALL present new alarms within 1 second of receipt from the Alarm Management Processor, sorted by priority (safety, operational, maintenance) with colour coding compliant with EEMUA 191 guidelines. Rationale: 1-second alarm latency is the EEMUA 191 recommended maximum for safety-related alarms in control room environments. Priority sorting ensures the signaller addresses the most critical condition first during multi-alarm situations. | Test | subsystem, signaller-workstation, session-309, idempotency:sub-sw-alarm-latency-309 |
| SUB-REQS-FUNC-079 | When more than 10 alarms are received within a 10-second window, the Alarm Display and Management Panel SHALL activate alarm flood management, suppressing consequential alarms and presenting a root-cause summary grouping related alarms by originating subsystem. Rationale: Alarm floods during major failures (e.g., power supply loss affecting multiple track circuits) can overwhelm the signaller with hundreds of individual alarms. EEMUA 191 Section 5.4 requires alarm flood suppression to maintain operator effectiveness. The 10-alarm/10-second threshold is derived from typical UK signalling alarm rates during power restoration events. | Test | subsystem, signaller-workstation, safety, session-309, idempotency:sub-sw-alarm-flood-309 |
| SUB-REQS-FUNC-080 | When the primary workstation fails (loss of application heartbeat, display output failure, or network connectivity loss), the Workstation Redundancy Controller SHALL complete switchover to the standby workstation within 5 seconds, with the standby resuming the identical track diagram state, alarm queue, and authenticated session. Rationale: 5-second switchover ensures the signaller regains situational awareness before any route-setting timeout expires (typical CBI route-setting timeout is 30 seconds). State transfer must include alarm queue to prevent loss of unacknowledged safety alarms during failover. Based on Network Rail GRIP Stage 4 availability modelling for York ROC workstations. | Test | subsystem, signaller-workstation, reliability, session-309, idempotency:sub-sw-failover-309 |
| SUB-REQS-FUNC-081 | The Signaller Authentication and Access Control Module SHALL authenticate signallers via smart card plus PIN before granting control access, and SHALL restrict command authority to the geographical area assigned to the authenticated signaller role. Rationale: Dual-factor authentication (smart card + PIN) prevents unauthorised route setting, which is a safety-critical function. Geographic area restriction ensures signallers only control areas they are trained and qualified for, as required by Rule Book Module TW1 for signaller competency management. | Demonstration | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-082 | When the authentication system is unavailable, the Signaller Authentication and Access Control Module SHALL permit emergency access via physical key override, granting full control authority with all actions logged as unauthenticated emergency operations. Rationale: Authentication system failure must not prevent emergency signalling operations. Physical key override is the industry-standard fallback mechanism, providing a non-electronic bypass that remains functional during complete IT system failures. Logging as unauthenticated ensures post-incident traceability. | Demonstration | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-083 | While no operator input is detected for 300 seconds, the Signaller Authentication and Access Control Module SHALL lock command input while maintaining display-only mode showing the current track diagram and active alarms. Rationale: Automatic lock prevents unauthorised personnel from issuing commands on an unattended workstation. Display-only mode is preserved (rather than blanking the screen) because situational awareness must be maintained for adjacent signallers and supervisors. 300-second timeout balances security against operational workflow where signallers may monitor without input during low-traffic periods. | Test | subsystem, signaller-workstation, session-309, idempotency:sub-sw-screen-lock-309 |
| SUB-REQS-FUNC-084 | The Automatic Route Setting Engine SHALL issue route-setting requests to the CBI via the TMS-CBI Interface Gateway between 120 and 240 seconds before the planned train arrival at each signal, adjusted by current train speed and section length. Rationale: 120-240 second lookahead window ensures points are set and locked before train arrival while not occupying junction capacity unnecessarily. Too early locks out conflicting routes; too late risks the train approaching a signal at danger. Values derived from Network Rail ARS specification NR/L2/SIG/30014. | Test | subsystem, traffic-management, session-309, idempotency:sub-tms-ars-lookahead-309 |
| SUB-REQS-FUNC-085 | The Automatic Route Setting Engine SHALL manage simultaneous route-setting for at least 500 active train services across the control area without exceeding 2-second decision cycle time. Rationale: 500 trains represents peak capacity for a major UK regional operations centre (e.g., Wales and Western ROC manages approximately 450 services at peak). 2-second decision cycle ensures route requests are timely for the 120-second minimum lookahead. | Test | rt-missing-failure-mode, red-team-session-522 |
| SUB-REQS-FUNC-086 | The Conflict Detection and Resolution Module SHALL detect path conflicts at junctions, crossovers, and single-line sections at least 15 minutes before the predicted conflict time, and SHALL present the conflict alert with at least three regulation options ranked by total network delay impact. Rationale: 15-minute minimum lookahead gives signallers sufficient time to evaluate options and implement regulation before the conflict materialises. Three ranked options are the minimum for meaningful decision support — fewer options are not useful; more than five overwhelm the signaller. Total network delay ranking prevents local optimisation that increases overall disruption. | Test | subsystem, traffic-management, session-309, idempotency:sub-tms-conflict-lookahead-309 |
| SUB-REQS-FUNC-087 | The Train Describer and Berth Management component SHALL step train identities between berths within 500ms of receiving the corresponding track occupation change from the CBI, maintaining accurate identity-to-berth association for at least 500 concurrent train headcodes. Rationale: 500ms berth step latency ensures the track diagram display shows correct train identities in near-real-time. Delay beyond this creates visual mismatch between track occupation indications and train labels, confusing signallers. 500 concurrent headcodes matches the ARS capacity requirement. | Test | subsystem, traffic-management, session-309, idempotency:sub-tms-td-berthstep-309 |
| SUB-REQS-FUNC-088 | The TMS-CBI Interface Gateway SHALL enforce rate limiting of a maximum 20 route-setting commands per second to the CBI, and SHALL buffer excess commands in a FIFO queue with a maximum queue depth of 100 commands. Rationale: Rate limiting prevents the ARS from overwhelming the CBI command processing pipeline during perturbation recovery when many routes are re-set simultaneously. 20 commands/second is the typical CBI command processing capacity. 100-command queue depth covers the worst-case burst during a 5-second ARS decision cycle at maximum route density. | Test | subsystem, traffic-management, session-309, idempotency:sub-tms-gateway-ratelimit-309 |
| SUB-REQS-FUNC-089 | The Timetable and Train Graph Processor SHALL import and validate working timetable data in CIF format within 60 seconds of receipt, rejecting timetables with scheduling conflicts (overlapping platform allocations, impossible run times) and reporting validation failures to the signaller workstation. Rationale: 60-second import time ensures timetable updates during the operating day (Very Short Term Plan amendments) are available to the ARS quickly. Validation prevents corrupt or conflicting timetable data from causing incorrect ARS routing decisions. | Test | subsystem, traffic-management, session-309, idempotency:sub-tms-timetable-import-309 |
| SUB-REQS-FUNC-090 | When the TMS-CBI Interface Gateway loses connectivity to the CBI for more than 30 seconds, the Automatic Route Setting Engine SHALL suspend automatic route-setting for the affected interlocking area and SHALL alert the signaller that manual route setting is required, while continuing conflict detection and train graph display for unaffected areas. Rationale: Automatic route setting without CBI connectivity would queue commands that may no longer be valid when connectivity is restored. 30-second timeout allows for brief network interruptions (PRP switchover, RaSTA reconnection) without disrupting ARS operation. Continued conflict detection for unaffected areas prevents cascade degradation. | Test | subsystem, traffic-management, reliability, session-309, idempotency:sub-tms-degraded-mode-309 |
| SUB-REQS-PERF-010 | The Vital Processing Unit SHALL complete each interlocking processing cycle, from input acquisition through output command issue, within 500ms under worst-case loading of 200 simultaneous route requests. Rationale: The 500ms cycle time determines the maximum reaction time of the interlocking to any safety-critical event (train entering an occupied section, point failing to detect). Derived from the 2-minute headway requirement: at 160km/h line speed a train covers 44m per cycle, which must be bounded for safe braking distance calculations. 200 simultaneous routes represents a large junction during peak disruption recovery. | Test | subsystem, cbi, vpu, performance, session-300, idempotency:sub-cbi-cycle-time-300 |
| SUB-REQS-PERF-011 | The Vital Processing Unit SHALL achieve a mean time between dangerous failures (MTBFd) of at least 100,000 hours and a mean time to restoration (MTTR) of no more than 30 minutes when a spare module is available on-site. Rationale: MTBFd of 100,000 hours is the minimum to achieve the system-level 99.99% availability target with the 2oo3 architecture providing fault tolerance. The 30-minute MTTR with on-site spares ensures the system returns to full 2oo3 redundancy before a second failure is statistically likely, based on Markov availability modelling. | Analysis | subsystem, cbi, vpu, performance, session-300, idempotency:sub-cbi-vpu-availability-300 |
| SUB-REQS-PERF-012 | Each Object Controller SHALL manage a minimum of 16 field objects simultaneously, with a maximum input-to-output latency of 50ms for any individual object command. Rationale: 16 objects per OC is the standard grouping for trackside location cases, balancing wiring cost against OC unit count. The 50ms latency budget is allocated from the 200ms read-back window in SUB-REQS-FUNC-005, leaving margin for field device actuation time and communication overhead. | Test | subsystem, cbi, object-controller, performance, session-300, idempotency:sub-cbi-oc-capacity-300 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-CBIINTERFACES-001 | The interface between the Computer-Based Interlocking and the Train Detection Subsystem SHALL transmit track section occupancy status (occupied/clear) for each track circuit and axle counter section as a safety-certified binary state, updated at a minimum rate of 2Hz, over a dedicated serial or Ethernet link conforming to EN 50159 Category 1. Rationale: Track occupancy is the primary safety input to the interlocking. 2Hz update rate ensures the interlocking detects a train entering a section within 500ms (one cycle). Category 1 (closed network) is appropriate because this is a point-to-point link within the equipment room. Binary state per section minimises protocol complexity and interpretation ambiguity in the safety logic. | Test | interface, cbi, train-detection, session-300, idempotency:ifc-cbi-traindet-300 |
| IFC-CBIINTERFACES-002 | The interface between the Computer-Based Interlocking and the Colour-Light Signalling Output SHALL transmit signal aspect commands (red, yellow, double-yellow, green, flashing aspects) as vital output via Object Controllers, with the signal reverting to its most restrictive aspect (red) within 2 seconds if the command link is lost. Rationale: Signal aspects are the primary safety output to train drivers. The 2-second fail-safe timeout ensures signals default to red on communication loss, preventing a proceed indication without a valid route. Aspect commands flow through Object Controllers which provide the physical drive and read-back verification. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-003 | The interface between the Computer-Based Interlocking and the Points and Crossing Drive System SHALL transmit point position commands (normal/reverse) and receive point detection status (normal detected, reverse detected, no detection) via Object Controllers, with a maximum point movement timeout of 10 seconds after which the interlocking SHALL report a point failure. Rationale: Point detection confirms the physical position of switch blades before a route can be signalled. The 10-second timeout is derived from the maximum mechanical travel time of clamp-lock point machines (typically 5-7 seconds) plus margin. No-detection state triggers point failure and route cancellation to prevent movement over unsecured points. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-004 | The interface between the Computer-Based Interlocking and the ETCS Radio Block Centre SHALL provide route status data (route set, route locked, route released, overlap status) via the Communication Gateway using RaSTA (Rail Safe Transport Application) protocol over TCP/IP, with a maximum end-to-end latency of 500ms and a safety-integrity connection timeout of 2 seconds. Rationale: The ETCS RBC derives movement authorities from interlocking route status. RaSTA is the mandated safety protocol for ETCS Level 2 per SUBSET-098. The 500ms latency bounds the delay in issuing updated movement authorities after a route change. The 2-second timeout causes the RBC to issue an emergency stop if interlocking communication is lost, preventing train movement without current route data. | Test | interface, cbi, etcs, session-300, idempotency:ifc-cbi-etcs-300 |
| IFC-CBIINTERFACES-005 | The interface between the Computer-Based Interlocking and the Traffic Management System SHALL accept automatic route-setting commands and return route confirmation or rejection responses, using a non-vital TCP/IP link with message acknowledgment within 1 second. The interlocking SHALL independently validate every route request against its safety logic regardless of the TMS command. Rationale: TMS automates route setting for timetable execution but is non-vital — the interlocking must independently enforce safety. The 1-second acknowledgment enables TMS to detect communication failure and alert the signaller for manual intervention. Non-vital link classification reflects that TMS commands can never override interlocking safety logic. | Test | interface, cbi, tms, session-300, idempotency:ifc-cbi-tms-300 |
| IFC-CBIINTERFACES-006 | The interface between the Computer-Based Interlocking and the Level Crossing Protection System SHALL transmit crossing activation and release commands based on train approach detection, and receive crossing status (barriers down confirmed, barriers failed, road clear) as a vital input, with crossing proved down before the protecting signal can clear. Rationale: The interlocking must prove barriers are down before allowing a train to proceed towards a level crossing — this is a direct safety interlock. Crossing status as vital input ensures barrier mechanical failure prevents signal clearance. This implements the UK standard for AHBC crossings where the interlocking controls the approach signal. | Test | rt-untestable, red-team-session-522 |
| IFC-CBIINTERFACES-007 | The interface between the Wheel Sensor and the Axle Counter Evaluator SHALL transmit analogue pulse signals via shielded twisted-pair cable with a maximum cable length of 12 km, maintaining a minimum signal-to-noise ratio of 20 dB at the evaluator input across the full operating temperature range (-40 to +70 degrees C). Rationale: 12 km maximum cable length accommodates the largest typical interlocking area without repeaters. The 20 dB SNR threshold ensures reliable axle discrimination even with electromagnetic interference from AC traction return currents, which are the dominant noise source in electrified railway environments. Temperature range covers extreme European climate conditions per EN 50125-3. | Test | interface, train-detection, axle-counter, session-301, idempotency:ifc-td-ws-ace-301 |
| IFC-CBIINTERFACES-008 | The interface between the Audio-Frequency Track Circuit and the Train Detection Data Concentrator SHALL transmit binary occupied/clear status as voltage-free relay contacts, with the concentrator polling each track circuit input at a minimum rate of 10 Hz. Rationale: Voltage-free relay contacts provide galvanic isolation between the trackside track circuit equipment and the indoor data concentrator, preventing traction current ground faults from propagating into the signalling equipment room. 10 Hz polling rate ensures occupancy changes are captured within 100ms, consistent with the concentrator's aggregation latency budget. | Test | interface, train-detection, aftc, session-301, idempotency:ifc-td-aftc-tddc-301 |
| IFC-CBIINTERFACES-009 | The interface between the Axle Counter Evaluator and the Train Detection Data Concentrator SHALL use RS-485 serial communication at 19200 baud with EN 50159 Category 1 safety coding, transmitting section occupancy status, axle count values, and diagnostic data at a minimum update rate of 5 Hz per counting point. Rationale: RS-485 provides noise-immune differential signalling suitable for the equipment room environment. 19200 baud is sufficient for the data volume (approximately 20 bytes per counting point per update). EN 50159 Category 1 safety coding (sequence numbers, CRC, time stamps) protects against message corruption on the closed network. 5 Hz update rate per counting point ensures the concentrator receives occupancy changes within 200ms of the evaluator detecting them. | Test | interface, train-detection, axle-counter, session-301, idempotency:ifc-td-ace-tddc-301 |
| IFC-CBIINTERFACES-010 | The interface between the Train Detection Data Concentrator and the Computer-Based Interlocking Object Controllers SHALL transmit the unified occupancy table for up to 128 track sections as a cyclic vital serial message at 10 Hz, with EN 50159 Category 3 safety coding including cryptographic authentication. Rationale: 10 Hz cyclic transmission ensures the CBI always has occupancy data no older than 100ms. 128 sections is the maximum concentrator capacity, matching the largest typical interlocking area. EN 50159 Category 3 coding (with cryptographic message authentication) is required because this link carries vital data that directly controls route-locking decisions — any undetected corruption could lead to a false-clear and potential collision. | Test | interface, train-detection, data-concentrator, session-301, idempotency:ifc-td-tddc-cbi-301 |
| IFC-CBIINTERFACES-011 | The interface between the RBC-CBI Interface Gateway and the RBC Application Server SHALL transfer route status, point position, and track occupancy data as structured messages at a minimum rate of 10 updates per second, with each message containing a monotonic sequence number and UTC timestamp for safe message ordering. Rationale: 10 Hz update rate matches the CBI processing cycle (100ms) and ensures the RBC Application Server always has current interlocking state for MA computation. Sequence numbering and timestamps enable the application server to detect stale or out-of-order data, which could cause an MA to be computed against an obsolete track state. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-012 | The interface between the RBC Application Server and the Euroradio Safe Communication Layer SHALL transfer ETCS application messages conforming to SUBSET-026 packet format, with the safe communication layer accepting messages of up to 1023 bytes and providing delivery confirmation or failure notification within 2 seconds. Rationale: 1023 bytes is the maximum ETCS application message size per SUBSET-026 (accommodating the longest MA with full speed and gradient profile). 2-second delivery confirmation allows the application server to detect message delivery failures and trigger retransmission before the onboard T_NVCONTACT timeout expires. | Test | interface, etcs-rbc, session-302, idempotency:ifc-rbcapp-euroradio-302 |
| IFC-CBIINTERFACES-013 | The interface between the Euroradio Safe Communication Layer and the GSM-R Radio Interface Module SHALL provide a circuit-switched data bearer at 9.6 kbps with a bit error rate not exceeding 10^-3, with the Euroradio layer treating the bearer as unreliable and applying its own error detection and retransmission. Rationale: 9.6 kbps CSD is the standard GSM-R data bearer for ERTMS. The 10^-3 BER is the GSM-R specification limit; Euroradio is explicitly designed to provide SIL 4 safety on top of this error rate through its own integrity mechanisms. This interface definition ensures the safety case is independent of bearer reliability. | Test | interface, etcs-rbc, session-302, idempotency:ifc-euroradio-gsmr-302 |
| IFC-CBIINTERFACES-014 | The interface between the RBC Application Server and the RBC Handover Controller SHALL transfer train state data including current position, speed, active MA boundaries, and train characteristics within 200 milliseconds of the handover controller requesting it, to support the 5-second handover completion budget. Rationale: 200ms for state data transfer leaves 4.8 seconds for the three-way handover protocol exchange with the adjacent RBC. Train state data must include the complete supervision context so the receiving RBC can construct a valid initial MA without requiring a full position report cycle from the train. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-015 | The interface between the RBC Application Server and the Juridical Recording Unit SHALL transfer event records via an asynchronous message queue with a guaranteed delivery mechanism, ensuring no event is lost even during peak load of 500 events per second. Rationale: 500 events/second represents worst-case load: 60 trains each generating position reports, MA updates, and acknowledgments simultaneously during a service recovery scenario. Asynchronous delivery via message queue ensures that recording latency does not affect real-time MA computation in the safety-critical path. Guaranteed delivery prevents evidence gaps in incident investigation. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-016 | The interface between the Level Crossing Controller and the Computer-Based Interlocking SHALL exchange train approach triggers, crossing protection status (clear/protecting/protected/failed), and fault reports via an EN 50159 Category 2 safety communication link with a maximum end-to-end latency of 500 milliseconds. Rationale: 500ms latency is within the CBI processing cycle tolerance for level crossing state. EN 50159 Category 2 (rather than Category 3) is sufficient because the controller and CBI are typically co-located in the same signalling equipment room or connected via a dedicated cable route with no untrusted network segments. | Test | interface, level-crossing, session-302, idempotency:ifc-lcc-cbi-302 |
| IFC-CBIINTERFACES-017 | The interface between the Level Crossing Obstacle Detection System and the Level Crossing Controller SHALL provide obstacle presence/absence status as a binary safe signal updated every 200 milliseconds, with a fail-safe output that indicates obstacle-present on sensor failure or communication loss. Rationale: 200ms update rate matches the obstacle detection scan cycle. Binary safe signal with fail-safe default ensures that sensor failure is treated as a potential obstacle, preventing barrier descent onto an undetected vehicle. This is the critical safety interface: a failure to detect an obstacle leads directly to a collision hazard. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-018 | The interface between the Level Crossing Controller and the Barrier Drive Mechanism SHALL provide raise/lower commands and receive barrier position feedback (angle in degrees, fully-raised and fully-lowered limit switch states) with a control loop update rate of at least 10 Hz. Rationale: 10 Hz position feedback is required for the controller to detect barrier stall conditions (motor failure, physical obstruction) within 100ms, enabling timely fault response. Angular position data allows the controller to monitor descent rate and detect partial-descent faults that limit switches alone cannot identify. | Test | interface, level-crossing, session-302, idempotency:ifc-lcc-barrier-302 |
| IFC-CBIINTERFACES-019 | The interface between the Point Drive Controller and the Electro-Hydraulic Point Machine SHALL deliver 3-phase AC power at 380-440V, 50Hz, with motor current monitoring at 100Hz sampling rate for current signature analysis enabling obstruction detection and wear trending. Rationale: 3-phase 380-440V is the standard European trackside power supply for electro-hydraulic point machines per EN 50123. 100Hz current sampling is required to capture the throw current profile with sufficient resolution to discriminate obstruction signatures (sharp current spike) from normal friction variation (gradual increase). Lower sampling rates miss transient obstruction events. | Test | interface, points-drive, session-304, idempotency:ifc-pdc-ehpm-power-304 |
| IFC-CBIINTERFACES-020 | The interface between the Point Position Detection Assembly and the Point Drive Controller SHALL provide two independent detection channels using fail-safe vital relay contacts, with each channel reporting blade position as a binary normal-detected or reverse-detected signal, updated within 50ms of blade reaching the detection threshold. Rationale: Two independent detection channels are required for SIL 4 per EN 50129 — a single detection channel cannot achieve the required diagnostic coverage. Vital relay contacts ensure fail-safe behavior: contact opening (spring return) maps to not-detected, satisfying the safe default. The 50ms update latency ensures detection state is current within two interlocking processing cycles. | Test | interface, points-drive, session-304, idempotency:ifc-ppda-pdc-detect-304 |
| IFC-CBIINTERFACES-021 | The interface between the Point Drive Controller and the Swing-Nose Crossing Actuator SHALL include a synchronisation interlock ensuring the crossing nose drive command is issued only after the main point blades have reached mid-stroke, and nose detection must be confirmed before the overall point detection is reported as complete. Rationale: Synchronisation prevents mechanical interference between blade and nose movement. If both move simultaneously, the crossing nose may collide with a partially-moved blade. The mid-stroke trigger point ensures blades have cleared the nose swing path. Requiring nose detection before overall point detection prevents routes being set over a turnout where blades are proven but the nose gap remains open. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-022 | The interface between the Point Heating System and the Signalling Diagnostic and Monitoring System SHALL report heater element status, power consumption per switch, ambient sensor readings, and heating mode at intervals not exceeding 60 seconds, using SNMP or Modbus TCP over the signalling Ethernet network. Rationale: 60-second reporting interval provides sufficient granularity for energy management and fault detection without overloading the diagnostic network. Individual switch power reporting enables detection of partial heater element failures (common failure mode — single element burnout reduces heating capacity without triggering a full alarm). SNMP/Modbus TCP aligns with existing signalling diagnostic infrastructure standards. | Test | interface, points-drive, heating, session-304, idempotency:ifc-phs-diag-monitoring-304 |
| IFC-CBIINTERFACES-023 | The interface between the Safety-Critical Data Network Switch and the Lineside Transmission Multiplexer SHALL use Gigabit Ethernet (IEEE 802.3ab) with 1000BASE-LX single-mode fiber optics, supporting a minimum link distance of 50 km and providing bit error rate better than 10^-12. Rationale: Single-mode fiber is required for the 2-50km distances between SER and lineside locations. 1000BASE-LX provides the bandwidth headroom for multiplexed field data while maintaining the BER required for safety communication over long fiber runs. | Test | interface, communication-network, session-305, idempotency:ifc-switch-mux-305 |
| IFC-CBIINTERFACES-024 | The interface between the Safety-Critical Data Network Switch and the Computer-Based Interlocking SHALL carry RaSTA-encapsulated vital messages over dual-redundant PRP Ethernet paths, with each path using physically separate cabling and switch ports, and SHALL support a sustained throughput of at least 100 Mbit/s per path. Rationale: Physical path separation ensures PRP provides genuine redundancy against cable damage or switch port failure. 100 Mbit/s throughput accommodates the aggregate traffic from interlocking commands, route status, and diagnostic data with margin for future capacity growth. | Test | interface, communication-network, session-305, idempotency:ifc-switch-cbi-305 |
| IFC-CBIINTERFACES-025 | The interface between the Cybersecurity Boundary Gateway and the Traffic Management System SHALL enforce unidirectional data flow from the safety network to the TMS for route status and train position data, and controlled bidirectional flow for TMS route requests, with all TMS-originated messages subject to deep packet inspection and protocol allowlisting. Rationale: Unidirectional flow for status data prevents the TMS from being used as an attack vector into the safety domain. Controlled bidirectional flow for route requests is necessary for operational functionality but requires DPI to ensure only valid route request message formats traverse the boundary. | Test | interface, communication-network, session-305, idempotency:ifc-fw-tms-305 |
| IFC-CBIINTERFACES-026 | The interface between the Network Time Distribution Server and the Safety-Critical Data Network Switch SHALL use IEEE 1588v2 PTP over Ethernet multicast, with the switch acting as a PTP boundary clock to minimize timestamp error accumulation, achieving end-to-end synchronization accuracy of 100 nanoseconds between grandmaster and any network endpoint. Rationale: Boundary clock mode in the switch corrects for switch residence time, preventing timestamp degradation across hops. The 100ns end-to-end target provides 10x margin over the 1-microsecond juridical recording requirement, accounting for asymmetric path delays and temperature-dependent oscillator drift. | Test | interface, communication-network, session-305, idempotency:ifc-ptp-switch-305 |
| IFC-CBIINTERFACES-027 | The interface between the Network Diagnostic and Monitoring Agent and the Signalling Diagnostic and Monitoring System SHALL transmit network health status, alarm events, and performance metrics via a non-vital TCP/IP link through the Cybersecurity Boundary Gateway, using SNMP traps for alarms and periodic polling for metrics at intervals not exceeding 60 seconds. Rationale: Non-vital classification is appropriate because network diagnostic data does not affect safe train movements. Routing through the cybersecurity gateway ensures the monitoring traffic traverses the security boundary under controlled conditions. 60-second polling interval balances diagnostic granularity against monitoring bandwidth overhead. | Test | interface, communication-network, session-305, idempotency:ifc-mon-diag-305 |
| IFC-CBIINTERFACES-028 | The interface between the Signal Aspect Driver and each LED Signal Module SHALL provide regulated 24VDC drive current at 350mA per LED string via dedicated wiring per aspect position, with current ripple not exceeding 5% to prevent visible flicker. Rationale: Each LED module requires individually regulated current to maintain consistent brightness across modules of different colours and ages. The 350mA per string is the standard forward current for high-power signal LEDs. 5% ripple limit prevents flicker visible to drivers at close range, which could be mistaken for a defective signal. | Test | interface, colour-light, session-306, idempotency:ifc-sad-lsm-drive-306 |
| IFC-CBIINTERFACES-029 | The interface between the Signal Proving and Monitoring Unit and each LED Signal Module SHALL provide per-string current sense feedback via dedicated monitoring connections, with measurement accuracy of 2% or better across the full operating range. Rationale: Per-string current sensing is required for the 2oo2 monitoring architecture to detect individual LED string failures before they accumulate to the 30% threshold. 2% accuracy ensures the monitoring unit can distinguish between a healthy string at reduced output (e.g., temperature-related) and a genuinely degrading string, preventing both false alarms and missed failures. | Test | interface, colour-light, session-306, idempotency:ifc-spmu-lsm-monitor-306 |
| IFC-CBIINTERFACES-030 | The interface between the Signal Proving and Monitoring Unit and the Signal Aspect Driver SHALL use a hardwired failsafe relay contact that, when de-energised by the proving unit, physically disconnects all proceed-aspect drive outputs and forces the danger aspect, independent of any software or data interface. Rationale: The hardwired relay failsafe path must be completely independent of the digital data path between the proving unit and the driver board. If the relay interface were implemented in software (e.g., via a serial command), a software fault could prevent the failsafe from activating. The de-energised=safe design means power loss to the relay circuit also triggers the safe state. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-031 | The interface between the Signal Proving and Monitoring Unit and the Signalling Diagnostic and Monitoring System SHALL transmit lamp status, degradation percentage, and failure classification via RS-485 serial link at 9600 baud, using a polling protocol with a maximum response time of 500 milliseconds. Rationale: RS-485 is the standard serial interface for lineside signalling equipment, supporting multi-drop connection of multiple signal heads on a single bus run of up to 1200m. 9600 baud provides sufficient bandwidth for diagnostic telemetry from up to 32 signal heads per bus segment. The 500ms response time ensures the diagnostic system receives current status within one polling cycle. | Test | interface, colour-light, diagnostic, session-306, idempotency:ifc-spmu-diag-serial-306 |
| IFC-CBIINTERFACES-032 | The interface between the Signal Aspect Driver and the Junction Route Indicator SHALL transmit route identity data via dedicated digital outputs (one per feather position or serial data for theatre displays), with an independent hardware interlock contact from the main aspect circuit that prevents route indicator illumination when the danger aspect is displayed. Rationale: Dual-path interface design: the route data path carries the identity of which feather or character to display, while the independent hardware interlock provides the safety function of preventing illumination during danger. Even if the data path erroneously commands a route display, the hardware interlock (driven from the main aspect relay chain) prevents illumination when the signal is at red. | Test | interface, colour-light, junction-indicator, session-306, idempotency:ifc-sad-jri-route-306 |
| IFC-CBIINTERFACES-033 | The interface between the Signalling Power Feeder and the Signalling Uninterruptible Power Supply SHALL deliver 110V AC single-phase at 50Hz with voltage regulation within plus or minus 10 percent, via a dedicated cable run with individual circuit protection. Rationale: The UPS input must receive clean mains-derived power within its input tolerance range. Dedicated cable run prevents other loads from affecting UPS input voltage quality. | Test | interface, power-supply, session-308, idempotency:ifc-spf-ups-308 |
| IFC-CBIINTERFACES-034 | The interface between the Signalling Uninterruptible Power Supply and the Signalling Power Distribution Panel SHALL deliver conditioned 110V AC at 50Hz with THD below 3 percent, and SHALL include a maintenance bypass path that allows UPS servicing without interruption to vital loads. Rationale: Conditioned output from UPS feeds vital bus of distribution panel. Maintenance bypass is essential to allow UPS battery replacement and servicing without de-energising the signalling installation. | Test | interface, power-supply, session-308, idempotency:ifc-ups-pdp-308 |
| IFC-CBIINTERFACES-035 | The interface between the Signalling Power Distribution Panel and the Track Circuit Power Feed Unit SHALL provide individually fused 110V AC supply with earth-fault monitoring, and SHALL alarm within 2 seconds of detecting earth leakage exceeding 30mA on any track circuit feeder. Rationale: Track circuit power feeds are distributed to lineside locations where cable damage is a common fault mode. Earth-fault monitoring at the distribution panel detects cable insulation breakdown before it escalates to a short circuit that could trip the feeder, losing track occupancy detection across multiple sections. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-036 | The interface between the Power Supply Monitoring and Switchover Controller and the Signalling Diagnostic and Monitoring System SHALL transmit power system status, battery state-of-charge, mains quality metrics, and alarm conditions via Modbus TCP at a polling interval not exceeding 10 seconds. Rationale: Modbus TCP is the standard industrial protocol for power monitoring equipment. 10-second polling ensures the diagnostic system has near-real-time visibility of power system health for maintenance planning and incident response. Battery SOC is critical for predicting remaining backup runtime. | Test | interface, power-supply, session-308, idempotency:ifc-mon-diag-308 |
| IFC-CBIINTERFACES-037 | The interface between the Alarm Management Processor and the Signaller Workstation SHALL deliver rationalised alarms with priority level, source subsystem identification, and suggested operator response within 2 seconds of the originating event. Rationale: 2-second alarm delivery ensures signallers receive timely notification of safety-relevant conditions. Priority level and source identification enable rapid triage. Suggested response reduces cognitive load during high-stress situations. | Test | interface, diagnostic-monitoring, session-308, idempotency:ifc-amp-sw-308 |
| IFC-CBIINTERFACES-038 | The interface between the Condition Monitoring Server and the Event Logger and Replay Unit SHALL provide a continuous event stream via TCP with guaranteed delivery, sequence numbering, and automatic reconnection within 5 seconds of link loss. Rationale: Guaranteed delivery with sequence numbering ensures no events are lost or duplicated in the tamper-evident record. Automatic reconnection prevents gaps in the event log during transient network issues. | Test | interface, diagnostic-monitoring, session-308, idempotency:ifc-cms-elr-308 |
| IFC-CBIINTERFACES-039 | The interface between the Remote Diagnostic Gateway and the Condition Monitoring Server SHALL authenticate all remote sessions using multi-factor authentication and SHALL log all queries with user identity, timestamp, and data accessed. Rationale: MFA prevents unauthorized access to diagnostic data which could reveal system vulnerabilities. Full query logging provides an audit trail for detecting reconnaissance attempts and ensuring accountability for data access. | Test | interface, diagnostic-monitoring, session-308, idempotency:ifc-rdg-cms-308 |
| IFC-CBIINTERFACES-040 | The interface between the Track Diagram Display Processor and the Computer-Based Interlocking SHALL carry track occupation, signal aspect, point position, and route status data via the signalling data network using the RaSTA safe communication protocol, with state updates delivered within 500ms of the interlocking output cycle. Rationale: RaSTA provides SIL 4 end-to-end data integrity for display data, ensuring the signaller cannot see corrupted state information. 500ms delivery matches the display refresh requirement and the interlocking cycle time. | Test | interface, signaller-workstation, session-309, idempotency:ifc-tddp-cbi-statedata-309 |
| IFC-CBIINTERFACES-041 | The interface between the Route Setting and Command Interface and the Computer-Based Interlocking SHALL transmit route-setting, signal replacement, and emergency control commands via the signalling data network with end-to-end delivery confirmation within 1 second, and SHALL reject commands when the authenticated signaller lacks area authority for the target objects. Rationale: 1-second command delivery confirmation gives the signaller timely feedback that the CBI has received the command. Area authority checking at the interface prevents commands from being sent to the CBI for objects outside the signaller's control area, providing defence-in-depth beyond the CBI's own validation. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-042 | The interface between the Alarm Display and Management Panel and the Alarm Management Processor SHALL receive rationalised alarm messages containing alarm ID, priority level, originating subsystem, timestamp, and descriptive text, with delivery latency not exceeding 500ms from rationalisation completion. Rationale: 500ms interface latency combined with 500ms AMP processing gives 1 second end-to-end alarm presentation, meeting EEMUA 191 targets. Structured alarm messages (ID, priority, source, text) enable the Alarm Display to sort, filter, and group without additional processing. | Test | interface, signaller-workstation, diagnostic-monitoring, session-309, idempotency:ifc-admp-amp-alarms-309 |
| IFC-CBIINTERFACES-043 | The interface between the TMS-CBI Interface Gateway and the Computer-Based Interlocking SHALL exchange route-setting requests (TMS to CBI) and route confirmation, signal aspect, point position, and track occupation data (CBI to TMS) via the signalling data network, with the CBI returning route confirmation or rejection within 2 seconds of request receipt. Rationale: 2-second confirmation timeout allows the ARS to detect rejected routes and attempt alternatives within its decision cycle. This interface is the critical boundary between non-vital TMS and vital CBI — all commands cross this boundary and are validated by the CBI independently. | Test | interface, traffic-management, session-309, idempotency:ifc-tmsgw-cbi-route-309 |
| IFC-CBIINTERFACES-044 | The interface between the Train Describer and Berth Management component and the Track Diagram Display Processor SHALL deliver train identity labels (4-character headcode) for overlay on the track diagram, with berth step updates delivered within 500ms of the identity stepping event. Rationale: Train identity labels on the track diagram are essential for the signaller to associate physical track occupation with scheduled services. 500ms update latency matches the TD berth step and display refresh requirements, preventing displayed headcodes from lagging behind track occupation indications. | Test | interface, traffic-management, signaller-workstation, session-309, idempotency:ifc-td-tddp-trainid-309 |
| IFC-CBIINTERFACES-045 | The interface between the Traffic Management System and the Signaller Workstation SHALL deliver conflict alerts, regulation recommendations, and ARS operational status to the Route Setting and Command Interface, with conflict alerts displayed within 2 seconds of detection by the Conflict Detection and Resolution Module. Rationale: 2-second alert delivery ensures signallers receive conflict information while there is still time to act. ARS status display (active/suspended per area) is critical for signallers to know whether automatic or manual route setting is in effect for their control area. | Test | interface, traffic-management, signaller-workstation, session-309, idempotency:ifc-tms-sw-conflicts-309 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-009 | ARC: Colour-Light Signalling Output — Separated safety monitoring from drive electronics. The Signal Proving and Monitoring Unit is architecturally independent of the Signal Aspect Driver, using a 2oo2 hardware comparison architecture with a dedicated failsafe relay. This separation ensures that a software fault in the aspect driver cannot mask a lamp failure. The alternative — integrated monitoring within the driver board — would reduce component count but creates a common-cause failure path between the drive function and the monitoring function, violating EN 50129 independence requirements for SIL4 safety functions. The Junction Route Indicator is driven through the Signal Aspect Driver but correlated with the main aspect via an independent hardware interlock, preventing a lit route indicator alongside a danger aspect even under driver board software failure. Rationale: Architectural separation of the safety monitoring function from the drive function is the standard EN 50129 pattern for SIL4 output subsystems. | Analysis | informational |
| ARC-010 | ARC: Signalling Power Supply System — Online double-conversion UPS topology with vital/non-vital bus separation at the distribution panel. The UPS sits in-line between the mains feeder and distribution rather than as a standby unit because audio-frequency track circuits require continuous sinusoidal power with less than 3% THD — a transfer gap of even 10ms would cause spurious track circuit occupancy indications, potentially triggering emergency braking. Vital and non-vital loads are separated at the distribution panel bus level to ensure a fault on non-vital equipment (diagnostics, HVAC, lighting) cannot trip vital supply protection. Load-shedding of non-vital circuits during battery operation extends vital runtime from 2 hours to approximately 3.5 hours. Rationale: Online UPS avoids transfer-time gaps that would corrupt audio-frequency track circuit operation. Bus separation isolates vital signalling loads from non-vital fault propagation. This topology is standard practice for UK mainline signalling equipment rooms per NR/L2/SIGELP/27725. | Analysis | informational |
| ARC-012 | ARC: Signalling Diagnostic and Monitoring System — Separated alarm management from condition monitoring to avoid data overload. The Alarm Management Processor applies EEMUA 191 rationalisation rules before forwarding to the Signaller Workstation, preventing alarm floods during cascade failures. The Condition Monitoring Server handles long-term trend analysis and predictive maintenance independently, storing 12 months of operational data. Event logging is a dedicated SIL2 unit because incident records must be tamper-evident and independently verifiable by RAIB investigators. Remote access is isolated behind a read-only gateway to prevent any remote path to safety-critical equipment. Rationale: Functional separation ensures alarm management latency is not affected by heavy predictive analytics processing. Independent event logging at SIL2 ensures incident records are admissible for regulatory investigation. Read-only remote gateway eliminates the cybersecurity risk of remote control paths to vital signalling. | Analysis | informational |
| ARC-CBIARCHITECTUREDECISIONS-001 | ARC: Computer-Based Interlocking — 2oo3 voted architecture with distributed Object Controllers and centralised Communication Gateway. The VPU uses triple-redundant processing rather than 2oo2D (two-out-of-two with diagnostics) because 2oo3 provides higher availability: a single channel failure degrades to 2oo2 operation rather than system shutdown. Object Controllers are distributed to trackside locations rather than centralised in the equipment room, reducing cabling cost by approximately 60% and enabling geographic fault isolation — a failed OC affects only its local objects, not the entire interlocking. The Communication Gateway is a separate component from the VPU to isolate protocol complexity and external network exposure from the safety kernel. Alternative considered: integrated comms within VPU (rejected due to increased attack surface on the safety processor and higher re-certification cost when protocol versions change). Rationale: This architecture decision records the key trade-offs in CBI component topology. The 2oo3 vs 2oo2D decision is the most consequential: it trades slightly higher hardware cost (3 vs 2 channels) for significantly higher availability, which is justified by the 99.99% system availability requirement. | Inspection | informational |
| ARC-SYS-ARC-002 | ARC: Train Detection Subsystem — Dual-technology detection (audio-frequency track circuits plus axle counters) with centralised Data Concentrator. Track circuits provide continuous passive detection on plain line; axle counters are used at locations where track circuit performance is unreliable (level crossings, poor ballast areas, points zones with traction current interference). The Data Concentrator aggregates both technologies into a single occupancy table rather than exposing heterogeneous detector types to the interlocking, isolating the CBI from detector-technology changes. Alternative considered: unified axle-counter-only detection (rejected because track circuits provide independent broken-rail detection capability that axle counters lack, and regulatory precedent in most European networks requires track circuits on plain line). Rationale: Dual-technology detection maximises both safety coverage (track circuits detect broken rails, which axle counters cannot) and availability (axle counters maintain operation during poor insulation conditions that degrade track circuits). The centralised Data Concentrator decouples the CBI from field detector technology, enabling future migration without interlocking software changes. | Inspection | informational |
| ARC-SYS-ARC-004 | ARC: ETCS Radio Block Centre — Layered architecture separating safety application (MA computation) from safe communication (Euroradio) and radio bearer (GSM-R). The RBC Application Server implements SUBSET-026 movement authority logic in a 2oo2 hot-standby configuration, isolated from communication protocol complexity. Euroradio (SUBSET-037) provides SIL 4 end-to-end safety on top of the inherently unreliable GSM-R bearer, enabling the safety case to be independent of radio network reliability. The GSM-R Radio Interface Module is non-vital, allowing radio technology migration to FRMCS without re-certifying the safety application. A dedicated RBC-CBI Interface Gateway isolates the interlocking protocol from the ETCS application, so CBI vendor changes do not cascade into ETCS re-certification. The Handover Controller is separated from the core MA engine because inter-RBC coordination has distinct timing constraints (5-second handover budget) and state management that would add complexity to the safety-critical MA computation path. Alternative considered: monolithic RBC with integrated communications (rejected due to re-certification cost explosion when any protocol layer changes, and inability to achieve independent safety cases for application vs communication layers per EN 50129). Rationale: Layered separation is mandated by the EN 50129 safety case structure which requires independent safety arguments for application and communication. The 2oo2 hot-standby (rather than 2oo3) for the RBC Application Server is driven by SUBSET-026 defining a clean primary/standby failover model for MA continuity, unlike the interlocking which benefits from 2oo3 voting for cycle-by-cycle determinism. | Inspection | informational |
| ARC-SYS-ARC-005 | ARC: Level Crossing Protection System — Centralised controller with distributed field equipment and independent obstacle detection. The Level Crossing Controller is a single SIL 4 unit that sequences all protection actions, rather than distributed logic across field devices, because the protection sequence has strict temporal ordering (signals before barriers, alarm concurrent with signals) that would be difficult to guarantee with distributed coordination. Obstacle detection is a separate dual-technology system (IR + radar) rather than integrated into barrier sensors, because barrier-mounted sensors cannot detect objects that have entered the crossing deck after barrier descent begins — a separate scanning system covering the full road width is required. Alternative considered: CCTV-based obstacle detection with image processing (rejected due to insufficient reliability in fog, heavy rain, and night conditions compared to active IR/radar scanning, and higher false-positive rate that would delay crossing clearance). Rationale: Centralised sequencing eliminates timing hazards from distributed synchronisation. Independent obstacle detection addresses the hazard of a vehicle trapped on the crossing deck — this is the primary collision mechanism at UK level crossings and requires dedicated detection independent of the barrier system itself. | Inspection | informational |
| ARC-SYS-ARC-006 | ARC: Points and Crossing Drive System — Centralised drive controller with per-machine detection independence. The Point Drive Controller acts as a single electronics module managing both conventional point machines and swing-nose crossing actuators, with the critical safety function (blade position detection) implemented as an independent assembly with its own fail-safe relay contacts, not embedded in the drive electronics. This separation ensures that drive controller faults (power stage failure, firmware defect) cannot corrupt detection integrity. The swing-nose crossing actuator is treated as a distinct component with its own detection rather than a sub-function of the point machine, because the synchronisation interlock between blade and nose movement is a safety-critical sequencing function that must be independently testable. Point heating is architecturally decoupled from the vital signalling chain — it connects directly to the diagnostic system, not through the Point Drive Controller — because heating is a maintenance function with different availability and integrity requirements than the safety-critical drive/detect path. Rationale: The detection-independence architecture is driven by SIL 4 requirements per EN 50129 Table A.1: the detection function achieves its safety target through hardware independence from the drive function, not through software diversity alone. The swing-nose separation is driven by high-speed line safety cases requiring independent proof that both blade and nose are seated. The heating decoupling prevents a heating fault from degrading the vital signalling path. | Inspection | informational |
| ARC-SYS-ARC-007 | ARC: Signalling Communication Network — Layered architecture separating physical transport (PRP switches, fiber multiplexers) from safety protocol (RaSTA middleware) and security boundary (TS 50701 gateway). PRP chosen over HSR because the star topology of the SER requires standard Ethernet switches, not ring topologies. RaSTA provides SIL4 end-to-end safety independent of network SIL rating, allowing SIL2-rated switches. Cybersecurity boundary gateway enforces zone separation with deep packet inspection rather than VLAN-only isolation, providing defence-in-depth against lateral movement between safety and non-vital domains. IEEE 1588 PTP selected over NTP for sub-microsecond accuracy needed by juridical recording timestamps. Rationale: Layered decomposition enables independent certification of transport, safety protocol, and security components. PRP at SIL2 with RaSTA at SIL4 avoids the cost and complexity of SIL4-certifying network infrastructure while maintaining end-to-end safety integrity. | Analysis | informational |
| ARC-SYS-ARC-013 | ARC: Signaller Workstation — Separated display rendering, command input, alarm management, and access control into independent components with hot-standby redundancy at the workstation level. The Track Diagram Display Processor is dedicated to rendering because display update rates (500ms refresh, 200+ state changes/second) demand optimised graphics pipeline separate from command processing. Route Setting and Command Interface is separated from the display to enforce confirmation dialogs and audit trail generation as independent safety barriers — if the display processor fails, the command interface continues recording operator actions to the audit log. Alarm Display and Management Panel is an independent component rather than a tab in the track diagram because EEMUA 191 requires alarm presentation to remain visible and operational even during display processor degradation. The Workstation Redundancy Controller runs on dedicated embedded hardware independent of the workstation OS to avoid common-cause failures between the application being protected and the failover mechanism. Alternative considered: virtualised workstation with software-based HA (rejected because OS-level failures would simultaneously disable both application and failover detection, violating the independence requirement of EN 50129 Annex A for control system redundancy). Rationale: Component separation is driven by the need for independent failure modes: a display rendering fault must not prevent command input recording (juridical requirement), alarm presentation (EEMUA 191), or failover detection (availability). Dedicated redundancy hardware ensures failover survives OS crashes, the most common workstation failure mode observed in Network Rail's operational data. | Inspection | informational |
| ARC-SYS-ARC-014 | ARC: Traffic Management System — Separated automatic route setting, conflict resolution, train description, and timetable management into distinct components with a dedicated CBI interface gateway. The Automatic Route Setting Engine is the core decision component but is deliberately separated from the Conflict Detection and Resolution Module because ARS operates reactively (route requested when train approaches signal) while conflict resolution operates predictively (15-30 minute lookahead). Combining them would force a single processing model on fundamentally different temporal domains. The Train Describer is separated from ARS because TD must maintain a continuous, accurate berth table regardless of ARS mode (ARS can be disabled per area while TD must always run). TMS-CBI Interface Gateway isolates vendor-specific CBI protocol changes from TMS application logic, allowing CBI migration without TMS re-development. Alternative: direct ARS-to-CBI connection (rejected because each CBI vendor uses different route-setting protocols, and tight coupling would require TMS modification for every CBI upgrade). Rationale: Separation of reactive routing (ARS) from predictive conflict detection reflects fundamentally different algorithmic and timing requirements. The gateway isolation is driven by the commercial reality that TMS and CBI are typically supplied by different vendors, and interface changes are the primary cause of integration delays in UK re-signalling projects. | Inspection | informational |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| VER-027 | Verify SUB-REQS-FUNC-002: Set a route through a junction with 3 conflicting routes available. Confirm all points within the route lock to required positions (detection feedback within 6s). Attempt to set each conflicting route — verify all are rejected. Release the route and confirm points unlock after 120s timeout and all track sections clear. Rationale: Route-locking is the foundational safety function of any interlocking. Verification must confirm both positive (correct lock) and negative (conflict rejection) behaviours, using the EN 50128 SIL 4 test strategy requiring structured test cases derived from the interlocking application data. | Test | verification, cbi, session-303, idempotency:ver-sub002-route-lock-303 |
| VER-028 | Verify SUB-REQS-FUNC-005: Send a correctly authenticated, sequence-numbered command from VPU test harness to Object Controller. Confirm field output driven and read-back confirmation received within 50ms. Then inject a command with invalid authentication — verify Object Controller rejects it and maintains previous output state. Inject an out-of-sequence command — verify rejection and alarm generation. Rationale: The Object Controller's command authentication is a defence against spurious field equipment actuation. The test must prove both correct-path (valid command drives output) and attack-path (forged or replayed command rejected) behaviours per EN 50159 Category 1 communication requirements. | Test | verification, cbi, session-303, idempotency:ver-sub005-obj-ctrl-auth-303 |
| VER-029 | Verify SUB-REQS-FUNC-006: Load valid Interlocking Application Data with known SHA-256 hash into the VPU test instance. Confirm successful startup and transition to operational mode. Then corrupt a single byte of the application data file and restart — verify the VPU detects hash mismatch, refuses to enter operational mode, and generates a specific data integrity alarm. Rationale: Interlocking Application Data integrity is the basis of safe operation — a corrupted data set could create unsafe route conflicts. Verification must confirm both positive (valid data accepted) and negative (corrupted data rejected at startup) paths, consistent with CENELEC EN 50128 software verification requirements for SIL 4. | Test | verification, cbi, session-303, idempotency:ver-sub006-vpu-integrity-303 |
| VER-030 | Verify SUB-REQS-FUNC-008: With all three VPU channels operational, disable one channel via test fault injection. Confirm the CBI transitions to 2-out-of-2 mode within 100ms, continues processing routes, and generates a degradation alarm. Execute a route-set, signal-clear, and point-move sequence in degraded mode — verify correct operation. Confirm the CBI initiates repair notification within 30 minutes per the degradation time limit. Rationale: The 2oo3-to-2oo2 degradation path is the primary availability mechanism for the interlocking. Verification must prove both the transition (no momentary loss of service) and the continued safe operation in degraded mode, since the system may operate in this state for up to 30 minutes before requiring repair action. | Test | verification, cbi, degraded-mode, session-303, idempotency:ver-sub008-degraded-303 |
| VER-031 | Verify SUB-REQS-FUNC-015: Generate calibrated wheel pulse sequences at speeds of 0, 5, 100, 300, and 500 km/h using wheel diameters of 330mm, 680mm, and 1000mm. For each combination, pass a known number of axles (2, 4, 12, and 24 axles per train) through the counting point. Verify the evaluator reports the exact axle count with zero errors across 1000 repetitions per combination, confirming miscount probability below 10^-9. Rationale: Axle counting accuracy directly determines track occupancy state correctness. The test matrix covers the full speed and wheel diameter envelope specified in SUB-REQS-FUNC-015, with 1000 repetitions providing statistical confidence in the 10^-9 miscount probability bound. | Test | verification, train-detection, session-303, idempotency:ver-sub015-axle-counter-303 |
| VER-032 | Verify SUB-REQS-FUNC-016: Inject a simulated train entry of 4 axles followed by an exit count of 3 axles. Verify the evaluator sets the section to occupied (restrictive) state within 200ms (2 processing cycles). Confirm the evaluator generates a count discrepancy alarm with section identity, expected count, and actual count. Verify the section remains in occupied state until a supervised technician reset is performed. Rationale: Count discrepancy handling is the fail-safe mechanism of axle counting — when counts disagree, the section must default to occupied to prevent collision. The 200ms response time ensures the interlocking receives the restrictive indication before the next processing cycle can clear conflicting routes. | Test | verification, train-detection, session-303, idempotency:ver-sub016-discrepancy-303 |
| VER-053 | Verify IFC-CBIINTERFACES-025: Configure the Cybersecurity Boundary Gateway between the safety network and TMS. From the TMS side, attempt to send non-allowlisted protocol packets, malformed route requests, and replay captured messages. Verify that only allowlisted route request messages pass through and all others are blocked. From the safety network side, send route status and train position data and verify it reaches TMS correctly. Attempt to inject data from TMS into the safety network outside the controlled bidirectional channel. Pass criteria: unidirectional enforcement holds for all test cases, DPI blocks all non-conforming packets, and legitimate route requests are processed within 200ms. Rationale: Cybersecurity boundary is a critical defence layer — verification must demonstrate both that the unidirectional enforcement holds under attack and that legitimate traffic passes without disruption. DPI and allowlisting are tested with deliberately crafted adversarial traffic. | Test | verification, cybersecurity, session-307, idempotency:ver-ifc025-qc-307 |
| VER-054 | Verify IFC-CBIINTERFACES-027: Configure the Network Diagnostic and Monitoring Agent to transmit health data to the Signalling Diagnostic and Monitoring System via the Cybersecurity Boundary Gateway. Inject network alarm conditions (link down, threshold exceeded) and verify SNMP traps arrive within 5 seconds. Verify periodic polling metrics are received at intervals not exceeding 60 seconds. Simulate Boundary Gateway packet filtering and confirm monitoring traffic is correctly classified as non-vital and routed through the permitted channel. Pass criteria: all alarms received within 5 seconds, polling metrics arrive at configured interval, and no monitoring traffic bypasses the Boundary Gateway. Rationale: Network monitoring data must flow through the cybersecurity boundary to reach maintenance systems — verifying the path through the Boundary Gateway confirms both functional routing and security zone compliance. The 60-second polling interval and alarm latency bounds must be validated end-to-end including the gateway transit. | Test | verification, network-monitoring, session-307, idempotency:ver-ifc027-qc-307 |
| VER-055 | Verify SUB-REQS-FUNC-055: With signal displaying green aspect, remove the command input from the Object Controller by disconnecting the serial link. Measure time from disconnection to red aspect display. Repeat with supply power removal. Pass criteria: most restrictive aspect (red) displayed within 200ms of either fault condition in all 10 trials, via de-energised failsafe relay (verify relay state with independent monitoring). Confirm no transient non-red aspect is displayed during the transition. Rationale: SIL4 safety requirement — the failsafe default to danger aspect is the primary defence against signal driver failures. Testing must demonstrate both the timing bound (200ms) and the mechanism (de-energised relay) to confirm that the failsafe operates even under complete power loss. | Test | verification, signal-failsafe, safety, session-307, idempotency:ver-sub055-qc-307 |
| VER-056 | Verify SUB-REQS-FUNC-056: With both monitoring channels operational and all lamps healthy, confirm both channels report healthy and no failsafe relay trigger. Inject a known lamp failure detectable by both channels — confirm both detect and agree. Inject a discrepancy between channels by disconnecting one monitoring input while the other remains connected. Pass criteria: agreement case reports correct lamp status; disagreement case triggers failsafe relay within 500ms. Repeat for each aspect colour and for partial LED string failure. Rationale: The 2oo2 comparison architecture for lamp monitoring is a safety-critical function — a single monitoring channel failure must not cause a false healthy indication. Testing channel disagreement proves the failsafe mechanism operates when one monitor is unreliable. | Test | verification, signal-proving, safety, session-307, idempotency:ver-sub056-qc-307 |
| VER-057 | Verify SUB-REQS-FUNC-059: Set route through junction and confirm Junction Route Indicator illuminates with proceed aspect. Step signal to danger (red) and verify JRI extinguishes within 200ms. Disable the software route data path while maintaining a proceed aspect — verify JRI still obeys the hardware interlock tied to the main signal aspect. Inject a software command to illuminate JRI while signal is at danger — verify the hardware interlock prevents illumination. Pass criteria: JRI never illuminates when danger aspect is displayed, verified over 50 test cycles across all route/aspect combinations. Rationale: A lit JRI alongside a red signal is a hazardous misleading indication — driver may infer a route is set and pass the danger signal. The hardware interlock independence from the software route data path must be positively demonstrated. | Test | verification, junction-indicator, safety, session-307, idempotency:ver-sub059-qc-307 |
| VER-058 | Verify SUB-REQS-FUNC-037: Using calibrated gauge blocks, position blade tip at 0mm, 1mm, 1.9mm, 2.0mm, 2.1mm, and 3mm displacement from stock rail. At each position, read detection output. Pass criteria: detection reports 'detected' for displacements of 2.0mm or less; reports 'not detected' for displacements exceeding 2.0mm. Repeat at -25C, +20C, and +70C ambient temperatures to verify thermal stability. Measurement accuracy of test equipment shall be 0.1mm or better. Rationale: The 2mm detection threshold is the boundary between safe (locked) and unsafe (unlocked) blade position. Testing at the threshold boundary with calibrated displacement confirms the detection transition point is correctly set, and temperature cycling verifies thermal expansion does not shift the threshold. | Test | verification, point-detection, safety, session-307, idempotency:ver-sub037-qc-307 |
| VER-ANAL-008 | Verify SUB-REQS-PERF-010: Conduct worst-case execution time (WCET) analysis of the interlocking processing cycle with 200 simultaneous route requests, 500 track sections, and 120 point machines. Confirm by measurement on the target hardware with instrumented timing. Pass: measured WCET does not exceed 500ms under worst-case loading. Rationale: WCET analysis provides formal proof of timing compliance independent of test coverage. Combined with hardware measurement, this covers both theoretical and practical bounds. | Analysis | verification, cbi, vpu, performance, session-300 |
| VER-ANAL-009 | Verify SUB-REQS-PERF-011: Perform quantitative reliability analysis (Markov model or fault tree) of the VPU 2oo3 architecture using component failure rate data from manufacturer datasheets. Demonstrate MTBFd exceeds 100,000 hours and that MTTR of 30 minutes with on-site spares achieves the 99.99% availability target. Pass: calculated MTBFd >= 100,000 hours; availability model shows >= 99.99%. Rationale: Hardware reliability claims must be supported by quantitative analysis per EN 50129 Annex B. Field testing alone cannot demonstrate MTBFd within practical project timescales. | Analysis | verification, cbi, vpu, reliability, session-300 |
| VER-TEST-001 | Verify IFC-CBIINTERFACES-001: Inject simulated track circuit occupancy changes on the test interface at 2Hz rate. Confirm the interlocking receives and processes each state change within one 500ms cycle. Verify EN 50159 Category 1 message framing. Pass: all occupancy changes reflected in interlocking state within 500ms, no message rejection. Rationale: Integration test at system boundaries validates the actual message protocol and timing between CBI and train detection equipment. | Test | verification, cbi, train-detection, session-300 |
| VER-TEST-002 | Verify IFC-CBIINTERFACES-002: Set a route and confirm signal aspect command is issued to the correct Object Controller output. Then sever the command link and verify the signal reverts to red within 2 seconds. Test all aspect types (red, yellow, double-yellow, green, flashing). Pass: correct aspects commanded for valid routes; red default within 2 seconds on link loss. Rationale: Tests the safety-critical fail-safe signal behaviour and the complete command chain from VPU through Object Controller to signal head. | Test | verification, cbi, signals, session-300 |
| VER-TEST-003 | Verify IFC-CBIINTERFACES-003: Command each point machine to normal and reverse positions. Verify detection status is received within 200ms of movement completion. Simulate a detection failure (no detection after 10 seconds) and verify the interlocking reports point failure and cancels any route requiring that point. Pass: all detection states correctly received; timeout triggers point failure alarm. Rationale: Point detection is safety-critical — an undetected point allows route setting over unsecured switches. The timeout test verifies the fail-safe behaviour. | Test | verification, cbi, points, session-300 |
| VER-TEST-004 | Verify IFC-CBIINTERFACES-004: Establish RaSTA connection between CBI Communication Gateway and ETCS RBC test simulator. Set and release routes while measuring end-to-end latency of route status messages. Sever the connection and verify the RBC receives no valid data after the 2-second timeout. Pass: latency below 500ms for 99th percentile; timeout detection within 2.5 seconds. Rationale: Validates the safety communication protocol and timeout behaviour on the most critical external interface for ETCS Level 2 operations. | Test | verification, cbi, etcs, session-300 |
| VER-TEST-005 | Verify IFC-CBIINTERFACES-005: Send automatic route-setting commands from TMS test client. Verify route confirmation or rejection within 1 second. Send a command for a conflicting route and verify the interlocking rejects it regardless of TMS authority. Pass: all valid routes confirmed within 1 second; conflicting routes rejected; safety logic not overridden. Rationale: Demonstrates that the non-vital TMS interface cannot compromise interlocking safety logic, which is the fundamental safety principle of the CBI-TMS boundary. | Test | verification, cbi, tms, session-300 |
| VER-TEST-006 | Verify IFC-CBIINTERFACES-006: Simulate train approach and verify crossing activation command. Confirm that the protecting signal does not clear until crossing status reports barriers down. Simulate barrier failure and verify signal remains at red. Pass: signal clears only after barriers-down confirmed; barrier failure prevents signal clearance. Rationale: The level crossing interlock is a critical safety function — verifying that the signal cannot clear without barrier confirmation protects road users. | Test | verification, cbi, level-crossing, session-300 |
| VER-TEST-007 | Verify SUB-REQS-FUNC-001: Inject a known output command sequence and compare outputs from all three VPU channels. Introduce a deliberate bit-flip error in one channel and verify the 2oo3 voter produces the correct output and flags the faulty channel. Measure comparison window timing. Pass: correct output despite single-channel corruption; faulty channel detected; comparison within 10ms. Rationale: The 2oo3 voting mechanism is the primary safety architecture — this test validates both correct voting and fault detection. | Test | verification, cbi, vpu, session-300 |
| VER-TEST-010 | Verify IFC-CBIINTERFACES-007: Install wheel sensor pair at test track section boundary with 12 km cable run. Inject wheel-profile simulator pulses at speeds 0, 50, 200, and 500 km/h equivalent rates. Measure SNR at evaluator input at -40C and +70C ambient. Pass: SNR >= 20 dB at all conditions, evaluator correctly counts all injected pulses. Rationale: Full cable length and temperature extremes test worst-case signal attenuation. Speed range covers operational envelope endpoints. | Test | verification, train-detection, session-301 |
| VER-TEST-011 | Verify IFC-CBIINTERFACES-008: Connect track circuit relay simulator to concentrator input. Toggle occupied/clear at 5 Hz. Verify concentrator captures every state change with no missed transitions over 10000 cycles. Measure polling latency: pass if all transitions captured within 100ms. Rationale: 5 Hz toggle rate exceeds expected real-world transition rates and stress-tests the polling mechanism. 10000 cycles provides statistical confidence in reliability. | Test | verification, train-detection, session-301 |
| VER-TEST-012 | Verify IFC-CBIINTERFACES-009: Configure evaluator with 24 counting points. Inject simultaneous occupancy changes on all points. Capture RS-485 frames and verify: baud rate 19200, EN 50159 Cat 1 coding present (sequence number, CRC, timestamp), update rate >= 5 Hz per point, all occupancy states correctly reflected in concentrator output within 200ms. Rationale: Maximum counting-point load (24) tests throughput limits. Simultaneous changes test worst-case bus utilisation and message scheduling. | Test | verification, train-detection, session-301 |
| VER-TEST-013 | Verify IFC-CBIINTERFACES-010: Configure concentrator with 128 sections. Inject occupancy changes and capture vital serial output. Verify: cyclic message rate 10 Hz, EN 50159 Cat 3 coding with valid cryptographic MAC, all 128 section states correct. Inject corrupted messages and verify CBI rejects them. Rationale: 128-section load tests maximum capacity. Cryptographic authentication verification confirms the safety communication layer rejects tampered data, which is the primary defence against undetected data corruption on the vital link. | Test | verification, train-detection, session-301 |
| VER-TEST-014 | Verify SUB-REQS-FUNC-013: Apply calibrated 0.06 ohm shunting resistor across running rails at track circuit section. Measure detection time from shunt application to occupied indication. Repeat at 5 positions along section. Pass: all detections within 1 second. Rationale: 0.06 ohm shunt is the standard test resistance per EN 50238. Multiple positions test sensitivity across the full section length, including the known weak points near transmitter and receiver ends. | Test | verification, train-detection, session-301 |
| VER-TEST-015 | Verify SUB-REQS-FUNC-014: Disconnect track circuit receiver signal (simulate cable break). Measure time from signal loss to occupied indication. Repeat for power supply failure and transmitter failure modes. Pass: occupied indication within 500ms for all failure modes. Rationale: Tests all credible failure modes that could cause loss of received signal. Each must independently trigger the fail-safe occupied state within the specified time. | Test | verification, train-detection, session-301 |
| VER-TEST-016 | Verify IFC-CBIINTERFACES-011: Inject simulated route and occupancy updates from a CBI test harness at 10 Hz for 24 hours under 60-train load. Measure message delivery rate, sequence gap count, and timestamp drift. Pass criteria: zero sequence gaps, zero out-of-order deliveries, 100% message delivery rate. Rationale: 24-hour endurance test at full load verifies sustained interface performance, not just burst capability. Sequence gap and ordering checks validate the safety-relevant message integrity properties. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-017 | Verify IFC-CBIINTERFACES-012: Transmit ETCS application messages of varying sizes (64B to 1023B) through the Euroradio layer under 60 concurrent sessions. Measure delivery confirmation latency for 10,000 messages. Pass criteria: 99.9% of messages confirmed within 2 seconds, maximum message size accepted without truncation. Rationale: Variable message sizes test boundary conditions including the 1023-byte maximum. 10,000 messages provide statistical confidence in the delivery confirmation timing across the session population. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-018 | Verify IFC-CBIINTERFACES-013: Operate Euroradio over a GSM-R bearer simulator configured at 9.6 kbps with injected bit error rates from 10^-6 to 10^-2. Verify that Euroradio maintains SIL 4 message integrity at all error rates up to 10^-3. Pass criteria: zero undetected message corruptions across 10^6 test messages at each error rate level. Rationale: Graduated error injection from nominal to worst-case validates that the safety layer correctly handles the full range of bearer quality conditions. 10^6 messages per level provides statistical confidence in the residual error rate claim. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-019 | Verify IFC-CBIINTERFACES-014: Trigger 100 handover requests at varying train speeds (80-300 km/h) and measure train state data transfer latency from request to complete delivery. Pass criteria: all transfers complete within 200ms, state data integrity verified against source. Rationale: Testing across the speed range validates that the interface performs consistently regardless of the urgency of the handover (higher speed = less time available). 100 iterations provide confidence in worst-case latency. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-020 | Verify IFC-CBIINTERFACES-015: Generate 500 events per second from a simulated RBC Application Server for 1 hour. After test completion, verify that the Juridical Recording Unit received and stored every event with correct timestamps. Pass criteria: zero event loss, timestamp accuracy within 1ms of source. Rationale: 1-hour sustained peak load test validates the message queue's guaranteed delivery mechanism under worst-case conditions. Timestamp accuracy verification ensures the recording is usable for incident reconstruction. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-021 | Verify SUB-REQS-FUNC-020: Execute 10,000 MA computation cycles under 60-train load with varying route complexity (simple through-route to complex junction with 8+ points). Measure computation time from input receipt to output ready. Pass criteria: 100% of cycles complete within 800ms, 99th percentile below 600ms. Rationale: 10,000 cycles across route complexity variants validate worst-case performance. The 99th percentile check at 600ms provides margin assurance — if the distribution is tight, the 800ms budget is well-allocated. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-022 | Verify SUB-REQS-FUNC-022: With 60 active train sessions, inject primary unit failure (power loss, software crash, communication loss). Measure time from failure detection to standby assuming all sessions. Verify no train session is lost or interrupted. Repeat for 50 failure scenarios. Pass criteria: all failovers complete within 3 seconds, zero session loss. Rationale: 50 failure scenarios cover the range of failure modes (hardware, software, communication). Full 60-train load during failover tests the worst case where all sessions must transfer simultaneously. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-023 | Verify SUB-REQS-FUNC-030: Issue emergency stop commands during various RBC load conditions (idle, 30 trains, 60 trains) and measure time from command receipt to transmission of emergency messages to all affected trains. Pass criteria: all emergency messages transmitted within 500ms in every scenario. Rationale: Testing at multiple load levels validates that emergency message prioritisation works correctly — the 500ms budget must hold even when the RBC is at peak MA computation load. This is the most safety-critical timing requirement in the ETCS RBC. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-024 | Verify IFC-CBIINTERFACES-016: Simulate 1000 train approach sequences with the CBI test harness. Measure approach trigger to controller acknowledgment latency and crossing protection status report delivery to CBI. Inject communication faults during 10% of sequences. Pass criteria: all messages delivered within 500ms, fault conditions correctly reported to CBI within 1 second. Rationale: 1000 sequences provide statistical confidence in timing. Communication fault injection validates the safety communication layer's error detection and fail-safe reporting. | Test | verification, level-crossing, session-302 |
| VER-TEST-025 | Verify IFC-CBIINTERFACES-017: Place test objects of 0.5m, 0.3m, and 1.0m height on crossing deck and verify detection status output. Disconnect sensor communication and verify fail-safe obstacle-present output within 200ms. Pass criteria: 0.5m and 1.0m objects detected, 0.3m objects not detected, fail-safe output asserted within one scan cycle of communication loss. Rationale: Boundary testing at threshold height validates discrimination between hazardous and non-hazardous objects. Fail-safe test validates the critical safety property that sensor failure is treated as obstacle present. | Test | verification, level-crossing, session-302 |
| VER-TEST-026 | Verify IFC-CBIINTERFACES-018: Command 500 barrier raise/lower cycles and verify position feedback accuracy against independent angle measurement. Simulate motor stall at various positions and verify controller detects stall within 200ms. Pass criteria: position accuracy within 1 degree, stall detection within 2 update cycles. Rationale: 500 cycles test mechanical endurance and interface reliability. Independent angle measurement validates feedback accuracy. Stall detection timing is critical for the controller to stop driving a barrier that has contacted an obstacle. | Test | verification, level-crossing, session-302 |
| VER-TEST-033 | Verify IFC-CBIINTERFACES-019: Connect Point Drive Controller to instrumented point machine with inline power analyser. Command 10 consecutive throws. Verify 3-phase voltage is 380-440V at 50Hz. Verify current sampling captures at least 100 samples per second. Inject a mechanical obstruction at 50% throw and verify current spike is captured. Pass criteria: all voltage within range, sampling rate confirmed, obstruction signature detected in current log. Rationale: Integration test at the power interface boundary. Inline power analyser provides independent measurement of voltage and frequency. Obstruction injection validates the current monitoring path end-to-end, not just the sampling rate in isolation. | Test | verification, points-drive, session-304, idempotency:ver-ifc019-power-304 |
| VER-TEST-034 | Verify IFC-CBIINTERFACES-020: With point machine in normal position, verify both detection channels report normal-detected. Move blade 1mm beyond detection threshold using precision actuator. Verify both channels transition to not-detected within 50ms (measured by oscilloscope on relay contacts). Repeat for reverse position. Disconnect one channel and verify the remaining channel alone does not satisfy the two-channel detection requirement. Pass criteria: detection transitions within 50ms, single channel insufficient. Rationale: Precision actuator enables controlled displacement testing at the exact detection threshold. Oscilloscope timing verifies the 50ms latency requirement. Single-channel disconnection test validates the independence and dual-channel logic required for SIL 4. | Test | verification, points-drive, session-304, idempotency:ver-ifc020-detect-304 |
| VER-TEST-035 | Verify IFC-CBIINTERFACES-021: Command a full throw of a high-speed turnout with swing-nose crossing. Instrument the main blade and crossing nose positions with displacement transducers. Verify that nose drive command is not issued until main blades reach mid-stroke. Verify that overall point detection is not reported until nose detection is confirmed. Introduce a nose detection failure and verify overall detection remains not-detected. Pass criteria: sequencing confirmed, nose failure prevents overall detection. Rationale: Displacement transducers provide continuous position tracking to verify the sequencing interlock at the mechanical level, not just the electrical command level. The nose detection failure test validates the critical safety interlock: a route must never be set over a high-speed turnout with an unproven nose position. | Test | verification, points-drive, swing-nose, session-304, idempotency:ver-ifc021-sync-304 |
| VER-TEST-036 | Verify IFC-CBIINTERFACES-022: Configure Point Heating System with diagnostic reporting enabled. Monitor SNMP or Modbus TCP traffic for 5 minutes. Verify reports arrive at intervals not exceeding 60 seconds. Verify each report contains heater status, power consumption, ambient readings, and heating mode. Simulate a heater element failure and verify fault appears in next report cycle. Pass criteria: all report fields present, interval within specification, fault detected. Rationale: Network traffic monitoring provides independent verification of reporting interval and content completeness. The simulated element failure validates the diagnostic path for the most common point heater failure mode. | Test | verification, points-drive, heating, session-304, idempotency:ver-ifc022-diag-304 |
| VER-TEST-037 | Verify SUB-REQS-FUNC-036: Command 20 consecutive throws (10 normal-to-reverse, 10 reverse-to-normal) at ambient temperatures of -25C, +20C, and +55C. Measure elapsed time from drive command receipt at Point Drive Controller input to detection confirmed at output. Pass criteria: all throws complete within 6 seconds for standard (up to 60m) switch lengths. Rationale: Temperature extremes test hydraulic fluid viscosity effects on throw time — low temperature increases viscosity and slows the actuator. 20 throws provide statistical significance. Both throw directions must be tested as hydraulic circuits may have asymmetric flow characteristics. | Test | verification, points-drive, session-304, idempotency:ver-sub036-throw-304 |
| VER-TEST-038 | Verify SUB-REQS-FUNC-040: With points in detected-normal position, remove power supply to the Point Position Detection Assembly. Measure time from power removal to detection output transitioning to not-detected at the Point Drive Controller output. Repeat for detected-reverse position. Pass criteria: detection defaults to not-detected within 100ms in both cases. Rationale: Validates the SIL 4 fail-safe path. Power removal simulates the worst-case detection circuit failure. Oscilloscope measurement at the PDC output boundary provides precise timing. Both positions must be tested as the relay circuits may have different release characteristics for normal vs reverse contacts. | Test | verification, points-drive, safety, session-304, idempotency:ver-sub040-failsafe-304 |
| VER-TEST-039 | Verify SUB-REQS-FUNC-038: During a point throw, introduce calibrated obstructions of 5N, 50N, and 500N force at 25%, 50%, and 75% of throw stroke. Verify Point Drive Controller detects obstruction (current exceeds 150% nominal) within 1 second, removes drive power, and reports obstruction fault to Object Controller. Pass criteria: obstruction detected and drive removed within 1 second for all force levels that exceed the 150% current threshold. Rationale: Calibrated obstruction forces test the sensitivity of current signature analysis across the throw profile. Different positions along the stroke have different normal current profiles, so the 150% threshold must work at all positions. The 5N level tests that small obstructions below the threshold do not cause false trips. | Test | verification, points-drive, safety, session-304, idempotency:ver-sub038-obstruction-304 |
| VER-TEST-040 | Verify IFC-CBIINTERFACES-024: Inject single link failure on one PRP path during sustained vital message traffic between CBI and network switch. Pass criteria: zero frame loss detected at receiving endpoint, measured by RaSTA sequence number gap analysis. Repeat for each port and each cable segment. Rationale: Direct test of PRP zero-recovery-time claim under realistic traffic conditions. Sequence number analysis provides frame-level detection of any loss that traditional packet counters might miss. | Test | verification, communication-network, session-305 |
| VER-TEST-041 | Verify SUB-REQS-FUNC-044: Measure end-to-end message delivery latency from CBI application buffer through network to each connected subsystem under maximum traffic load using hardware-timestamped test frames. Pass criteria: 99.99th percentile latency does not exceed 50 milliseconds across 24-hour test duration. Rationale: 24-hour duration captures diurnal traffic patterns and background maintenance activities. Hardware timestamping eliminates software-induced measurement jitter. 99.99th percentile threshold ensures the requirement is met under worst-case conditions, not just average. | Test | verification, communication-network, session-305 |
| VER-TEST-042 | Verify SUB-REQS-FUNC-045: Inject known message corruptions (bit flip, replay, sequence reversal, delayed delivery beyond Tmax) into RaSTA communication path. Pass criteria: all injected errors detected and reported by the RaSTA Protocol Stack within one safety time interval, with no corrupted message delivered to the application layer. Rationale: Fault injection verifies each EN 50159 threat class is independently detected. Testing all threat classes ensures the safety case claim of Category 3 coverage is substantiated by evidence. | Test | verification, communication-network, session-305 |
| VER-TEST-043 | Verify IFC-CBIINTERFACES-026: Measure time offset between PTP grandmaster and each network endpoint using independent GPS-disciplined reference clock. Pass criteria: offset does not exceed 100 nanoseconds at any endpoint over 72-hour test, including during simulated GNSS signal loss with holdover active. Rationale: 72-hour test duration exercises holdover behavior beyond the 24-hour requirement to verify margin. Independent GPS reference eliminates circular measurement dependency on the system under test. | Test | verification, communication-network, session-305 |
| VER-TEST-044 | Verify SUB-REQS-FUNC-047: Attempt to send non-allowlisted protocol packets and malformed messages through the Cybersecurity Boundary Gateway from the non-vital network side. Pass criteria: all non-allowlisted traffic is blocked, blocked attempts are logged with source address and timestamp, and no additional latency beyond 1ms is introduced on concurrent permitted traffic. Rationale: Penetration testing from the non-vital side validates the allowlist enforcement. Concurrent permitted traffic measurement ensures security inspection does not degrade safety-critical communication timing. | Test | verification, communication-network, session-305 |
| VER-TEST-045 | Verify SUB-REQS-FUNC-049: Degrade a network link to produce packet loss exceeding 0.001 percent. Pass criteria: alarm generated within 30 seconds, alarm correctly identifies the degraded link, and health data appears in the Signalling Diagnostic and Monitoring System within 60 seconds. Rationale: Validates both alarm timing and correct link identification under controlled degradation conditions. 60-second diagnostic propagation confirms the cross-subsystem interface operates correctly. | Test | verification, communication-network, session-305 |
| VER-TEST-046 | Verify IFC-CBIINTERFACES-023: Measure optical link parameters including BER, received power, and link distance on each fiber trunk between SER and lineside locations. Pass criteria: BER better than 10^-12 sustained over 48-hour continuous traffic test, and link operates at specified distance with 3dB margin. Rationale: 48-hour BER measurement provides statistical confidence at 10^-12 level. 3dB optical margin accounts for connector aging, cable splice degradation, and temperature-dependent attenuation variation over the link lifetime. | Test | verification, communication-network, session-305 |
| VER-TEST-047 | Verify IFC-CBIINTERFACES-028: Apply rated load to each LED Signal Module output of the Signal Aspect Driver. Measure drive current per LED string with calibrated ammeter. Verify 350mA ±2% under steady-state conditions. Measure current ripple with oscilloscope at 100MHz bandwidth. Pass: ripple does not exceed 5% peak-to-peak across all strings at -25°C and +70°C ambient. Rationale: Integration test at system boundaries to verify interface compliance between Signal Aspect Driver and LED Signal Module. | Test | verification, colour-light, session-306 |
| VER-TEST-048 | Verify IFC-CBIINTERFACES-030: With Signal Aspect Driver commanding green aspect, trigger Signal Proving Unit failsafe condition. Verify via oscilloscope that all proceed-aspect drive outputs are physically disconnected and danger aspect is driven within 500ms. Repeat with proving unit power removed. Pass: relay de-energises and danger aspect displays in both scenarios. Rationale: Critical safety verification: the hardwired failsafe relay must operate correctly independent of software state, and must default safe on power loss. | Test | verification, colour-light, safety, session-306 |
| VER-TEST-049 | Verify IFC-CBIINTERFACES-029: Inject known currents into LED string monitoring connections using calibrated current source. Compare Signal Proving Unit readings against reference. Pass: measurement error does not exceed 2% across 10% to 100% of rated current range at -25°C and +70°C. Rationale: Monitoring accuracy verification ensures the proving unit can reliably distinguish degraded strings from healthy ones across the full operating temperature range. | Test | verification, colour-light, session-306 |
| VER-TEST-050 | Verify IFC-CBIINTERFACES-031: Connect Signal Proving Unit to Diagnostic System via RS-485 bus. Send poll commands at specified interval. Verify response within 500ms containing valid lamp status, degradation percentage, and failure classification. Simulate lamp failure and verify correct reporting. Pass: all fields correctly populated within timing constraint. Rationale: Diagnostic interface verification at integration level to confirm data format, timing, and content accuracy. | Test | verification, colour-light, diagnostic, session-306 |
| VER-TEST-051 | Verify IFC-CBIINTERFACES-032: Command route data to Junction Route Indicator while main aspect is at danger. Verify indicator remains dark. Set route and display proceed aspect. Verify correct feather/character illuminates within 500ms. Revert to danger. Verify indicator extinguishes within 200ms. Disconnect data path and verify interlock independently prevents illumination. Pass: all timing and interlock criteria met. Rationale: Combined functional and safety test verifying both the route data path and the independent hardware interlock that prevents misleading indications. | Test | verification, colour-light, junction-indicator, session-306 |
| VER-TEST-052 | Verify SUB-REQS-FUNC-053: With signal displaying green, simulate proceed-aspect LED module failure by open-circuiting LED strings to reduce output below 70%. Measure time from failure injection to danger aspect display. Repeat for yellow and double-yellow aspects. Pass: failsafe activates within 500ms in all cases across 100 test cycles. Rationale: Statistical verification of the safety-critical failsafe timing requirement across multiple test cycles to establish confidence in the 500ms bound. | Test | verification, colour-light, safety, session-306 |
| VER-TEST-059 | Verify IFC-CBIINTERFACES-033: Connect Signalling Power Feeder output to UPS input via test cable. Measure output voltage at UPS input terminals under no-load, 50 percent load, and full-load conditions. Pass criteria: voltage within 99V to 121V (110V plus or minus 10 percent), frequency 50Hz plus or minus 0.5Hz. Verify individual circuit protection trips within rated curve. Rationale: Integration test at the feeder-UPS boundary confirms power quality at the handoff point and validates circuit protection sizing. | Test | verification, power-supply, session-308 |
| VER-TEST-060 | Verify IFC-CBIINTERFACES-034: Operate UPS under battery backup condition. Measure output voltage and THD at distribution panel input using a power quality analyser. Pass criteria: voltage 110V plus or minus 5 percent, THD below 3 percent at 25, 50, 75, and 100 percent load steps. Verify maintenance bypass transfers load without interruption (zero transfer time on oscilloscope). Rationale: Confirms UPS output quality meets track circuit sensitivity requirements and validates bypass path for maintenance access. | Test | verification, power-supply, session-308 |
| VER-TEST-061 | Verify IFC-CBIINTERFACES-035: Apply controlled earth fault at 30mA on one track circuit feeder cable. Measure alarm generation time at distribution panel. Pass criteria: alarm within 2 seconds, faulted circuit identified by circuit number, other circuits unaffected. Rationale: Validates earth-fault detection sensitivity and response time at track circuit distribution boundary. | Test | verification, power-supply, session-308 |
| VER-TEST-062 | Verify IFC-CBIINTERFACES-036: Configure Monitoring Controller and Diagnostic System on test network. Generate test alarm conditions (low battery, mains loss, earth fault). Pass criteria: all alarm states reported via Modbus TCP within 10-second polling cycle, battery SOC accurate within 5 percent of reference measurement. Rationale: Confirms end-to-end data flow from power monitoring to diagnostic system and validates alarm propagation timing. | Test | verification, power-supply, session-308 |
| VER-TEST-063 | Verify SUB-REQS-FUNC-061: Disconnect mains supply to UPS with signalling installation at full rated vital load. Monitor UPS output voltage continuously. Pass criteria: output voltage remains within specification for minimum 120 minutes. Record actual runtime to exhaustion for capacity baseline. Rationale: Full-load discharge test confirms battery capacity meets the 2-hour backup requirement under worst-case conditions. | Test | verification, power-supply, session-308 |
| VER-TEST-064 | Verify SUB-REQS-FUNC-066: Simulate mains loss with non-vital loads connected. Measure time from mains loss confirmation to non-vital circuit de-energisation. Pass criteria: non-vital loads shed within 5 seconds, vital loads unaffected, predicted runtime exceeds 3.5 hours. Rationale: Validates the load-shedding sequence timing and confirms extended vital runtime calculation is correct. | Test | verification, power-supply, session-308 |
| VER-TEST-065 | Verify SUB-REQS-FUNC-067: Introduce a cell simulator with adjustable voltage into the battery bank. Set one cell 0.35V below bank average. Pass criteria: alarm generated within one polling cycle, alarm identifies specific cell position. Repeat for temperature sensor at 46 degrees Celsius. Rationale: Confirms cell-level monitoring detects incipient battery failure before it affects backup capacity. | Test | verification, power-supply, session-308 |
| VER-TEST-066 | Verify IFC-CBIINTERFACES-037: Generate 50 test alarms of mixed priority from alarm simulator. Measure end-to-end delivery time from alarm generation to Signaller Workstation display update. Pass criteria: all alarms displayed within 2 seconds with correct priority, source identification, and suggested response text. Rationale: Validates alarm delivery latency and data completeness at the AMP-Workstation boundary under representative load. | Test | verification, diagnostic-monitoring, session-308 |
| VER-TEST-067 | Verify IFC-CBIINTERFACES-038: Generate 1000 test events with known sequence numbers via CMS. Disconnect and reconnect network link between CMS and Event Logger after event 500. Pass criteria: all 1000 events present in Event Logger with correct sequence, reconnection within 5 seconds, no duplicates or gaps. Rationale: Tests guaranteed delivery and reconnection behaviour under network disruption conditions. | Test | verification, diagnostic-monitoring, session-308 |
| VER-TEST-068 | Verify IFC-CBIINTERFACES-039: Attempt remote login with valid single-factor credentials. Pass criteria: access denied. Login with valid MFA credentials. Pass criteria: access granted, session logged with user identity and timestamp. Issue diagnostic query and verify query content appears in audit log. Rationale: Tests MFA enforcement and audit logging at the remote access boundary. | Test | verification, diagnostic-monitoring, session-308 |
| VER-TEST-069 | Verify SUB-REQS-FUNC-068: Generate sustained alarm stream at 30 alarms per minute from test simulator. Measure alarm rate at operator display after rationalisation. Pass criteria: displayed rate does not exceed 10 alarms per 10 minutes during normal mode, 20 during upset mode. Rationale: Validates EEMUA 191 alarm rate compliance under sustained high-rate input. | Test | verification, diagnostic-monitoring, session-308 |
| VER-TEST-070 | Verify SUB-REQS-FUNC-072: Record events from GPS-synchronised reference clock. Compare Event Logger timestamps against reference. Pass criteria: timestamp deviation does not exceed 1ms across 24-hour test period. Rationale: Validates timestamp accuracy against GPS reference over extended period to detect drift. | Test | verification, diagnostic-monitoring, session-308 |
| VER-TEST-071 | Verify IFC-CBIINTERFACES-040: Inject 200 simultaneous object state changes via CBI test interface. Measure end-to-end delivery time from CBI output cycle to Track Diagram Display Processor data receipt. Pass: all state updates received within 500ms. Verify RaSTA protocol integrity by injecting corrupted packets and confirming rejection. Rationale: Integration test at CBI-workstation boundary. 200 simultaneous changes represents peak traffic load. Corruption injection verifies RaSTA safety layer protects display integrity. | Test | verification, signaller-workstation, session-309, idempotency:ver-ifc040-statedata-309 |
| VER-TEST-072 | Verify IFC-CBIINTERFACES-041: Issue route-setting, signal replacement, and emergency control commands from test workstation. Measure delivery confirmation latency. Attempt commands for objects outside authenticated area. Pass: all commands confirmed within 1 second; out-of-area commands rejected at interface level before reaching CBI. Rationale: Tests both timing and access control enforcement at the command interface boundary. Out-of-area rejection test verifies defence-in-depth for area authority. | Test | verification, signaller-workstation, safety, session-309, idempotency:ver-ifc041-commands-309 |
| VER-TEST-073 | Verify IFC-CBIINTERFACES-042: Generate 50 test alarms of mixed priority from alarm simulator, injected at Alarm Management Processor output. Measure delivery latency to Alarm Display and Management Panel. Verify alarm message structure contains all specified fields (ID, priority, subsystem, timestamp, text). Pass: all alarms received within 500ms with complete fields. Rationale: 50-alarm burst tests interface capacity under alarm flood conditions while verifying structured message completeness. | Test | verification, signaller-workstation, session-309, idempotency:ver-ifc042-alarms-309 |
| VER-TEST-074 | Verify IFC-CBIINTERFACES-043: Send 50 route-setting requests via TMS-CBI Interface Gateway. Measure CBI response time for confirmation/rejection. Inject invalid route requests and verify rejection. Pass: all valid routes confirmed or rejected within 2 seconds; invalid requests return error codes. Rationale: Tests TMS-CBI interface boundary under load. Invalid route injection verifies CBI validates all TMS commands independently. | Test | verification, traffic-management, session-309, idempotency:ver-ifc043-tmscbi-309 |
| VER-TEST-075 | Verify IFC-CBIINTERFACES-044: Simulate 100 concurrent berth stepping events from Train Describer. Measure delivery latency to Track Diagram Display Processor. Verify headcode labels match berth positions on displayed track diagram. Pass: all identity updates delivered within 500ms with correct berth association. Rationale: 100 concurrent steps tests interface throughput at peak berth-stepping rate. Visual verification confirms end-to-end identity-to-berth correctness. | Test | verification, traffic-management, signaller-workstation, session-309, idempotency:ver-ifc044-trainid-309 |
| VER-TEST-076 | Verify IFC-CBIINTERFACES-045: Trigger 10 conflict detection events from TMS test data. Measure delivery latency from detection to display on Signaller Workstation. Verify conflict alert includes at least 3 regulation options. Pass: all alerts displayed within 2 seconds with options ranked by delay impact. Rationale: Tests the full conflict alert path from detection to signaller presentation. Option ranking verification ensures decision support quality. | Test | verification, traffic-management, signaller-workstation, session-309, idempotency:ver-ifc045-conflicts-309 |
| VER-TEST-077 | Verify SUB-REQS-FUNC-079: Inject 50 alarms within 5 seconds from alarm simulator. Verify flood management activates, consequential alarms are suppressed, and root-cause summary groups alarms by originating subsystem. Pass: flood mode activates when threshold exceeded; summary displays within 2 seconds of activation. Rationale: Tests alarm flood detection threshold and root-cause grouping accuracy under realistic cascade conditions. | Test | verification, signaller-workstation, session-309, idempotency:ver-sub079-alarmflood-309 |
| VER-TEST-078 | Verify SUB-REQS-FUNC-080: Simulate primary workstation failure (kill application process, disconnect display, disconnect network). Measure switchover time to standby. Verify standby displays identical track diagram, alarm queue, and authenticated session. Pass: switchover completes within 5 seconds for all three failure modes. Rationale: Three distinct failure injection modes (process, display, network) verify the Workstation Redundancy Controller detects all monitored failure types. State verification confirms complete transfer. | Test | verification, signaller-workstation, reliability, session-309, idempotency:ver-sub080-failover-309 |
| VER-TEST-079 | Verify SUB-REQS-FUNC-081: Attempt login with valid smart card and PIN. Attempt login with invalid PIN. Attempt route-setting command for object outside assigned area. Pass: valid credentials grant access; invalid PIN rejected; out-of-area commands blocked. Rationale: Tests both positive authentication path and negative cases (wrong credentials, area violation) to verify access control enforcement. | Demonstration | verification, signaller-workstation, safety, session-309, idempotency:ver-sub081-auth-309 |
| VER-TEST-080 | Verify SUB-REQS-FUNC-085: Load ARS with 500 simulated train services across full control area timetable. Measure ARS decision cycle time under full load. Pass: all route-setting decisions completed within 2-second cycle time with no missed routes. Rationale: 500-train load test verifies ARS performance at rated capacity. Decision cycle measurement confirms algorithmic scalability. | Test | verification, traffic-management, performance, session-309, idempotency:ver-sub085-arscapacity-309 |
| VER-TEST-081 | Verify SUB-REQS-FUNC-088: Send 100 route-setting commands to TMS-CBI Interface Gateway within 1 second. Verify gateway rate-limits to 20 commands/second and buffers excess in FIFO order. Inject 150 commands to exceed queue depth. Pass: first 100 commands queued and delivered at 20/s; commands beyond queue depth of 100 rejected with error. Rationale: Tests both rate limiting enforcement and queue overflow behaviour under burst conditions exceeding rated capacity. | Test | verification, traffic-management, session-309, idempotency:ver-sub088-ratelimit-309 |
| VER-TEST-082 | Verify SUB-REQS-FUNC-060: Inject simulated lamp degradation (LED current reduction to 70%, 50%, 30% thresholds) and partial failure (single LED string open circuit) into Signal Proving Unit test harness. Confirm diagnostic messages transmitted to Diagnostic system within 10-second reporting interval with correct degradation percentage and failure mode classification. Pass: all injected faults reported within one reporting cycle with correct classification. Rationale: Validates lamp monitoring detection threshold and reporting latency. Degradation thresholds chosen to match EN 50129 signal visibility safety case requirements. | Test | verification, colour-light, session-311, idempotency:ver-spu-lamp-reporting-311 |
| VER-TEST-083 | Verify SUB-REQS-FUNC-070: Stimulate field equipment state changes (point position, track circuit, signal lamp, power supply) across all monitored subsystems simultaneously. Measure time from state change at field equipment to corresponding database record on Condition Monitoring Server. Pass: 95th percentile collection latency does not exceed 30 seconds under peak load (all subsystems reporting simultaneously). Rationale: Validates end-to-end monitoring latency under worst-case concurrent reporting. 30-second threshold ensures maintainers have near-real-time visibility of degradation trends before safety functions are compromised. | Test | verification, diagnostic-monitoring, session-311, idempotency:ver-cms-aggregation-latency-311 |
| VER-TEST-084 | Verify SUB-REQS-FUNC-071: Establish remote diagnostic session through Remote Diagnostic Gateway. Attempt write and control commands (route setting, signal control, point operation, configuration changes) through all available diagnostic protocols and API endpoints. Confirm all write attempts are rejected. Verify audit trail records each rejected attempt with session identity and timestamp. Pass: zero write commands reach safety-critical equipment and all attempts are logged. Rationale: Security boundary verification through adversarial testing. Must prove no diagnostic protocol or API endpoint can be exploited to inject control commands into the vital signalling chain. | Test | verification, diagnostic-monitoring, session-311, idempotency:ver-rdg-readonly-311 |
| VER-TEST-085 | Verify SUB-REQS-FUNC-089: Import reference working timetable in CIF format containing known scheduling conflicts (overlapping platform allocations at 3 stations, physically impossible run times on 2 segments). Measure import-to-validation completion time. Import a valid timetable and confirm acceptance within 60 seconds. Pass: all 5 injected conflicts detected, valid timetable accepted within time limit, rejection report identifies conflict type and location. Rationale: Validates both the 60-second performance requirement and the conflict detection accuracy. Injected conflicts represent real-world scheduling errors observed in UK Network Rail timetable data. | Test | verification, traffic-management, session-311, idempotency:ver-timetable-validation-311 |
| VER-TEST-086 | Verify system-level end-to-end: Simulate train approach on occupied route (axle counter detection) through interlocking route processing to signal aspect change and point position confirmation. Measure total chain latency from Wheel Sensor activation through Axle Counter Evaluator, Train Detection Data Concentrator, Computer-Based Interlocking route evaluation, to Signal Aspect Driver commanding restrictive aspect and Point Drive Controller confirming locked position. Pass: end-to-end chain completes within 2 seconds under nominal conditions; safety-critical aspects (restrictive signal, point lock) achieved within 500ms of interlocking decision; no data loss across 1000 consecutive test cycles. Rationale: Validates the primary safety chain from detection to protection. The 2-second end-to-end budget derives from SYS-REQS-FUNC-005 (ETCS MA computation) and SYS-REQS-PERF-002 (signal aspect update). The 500ms sub-budget for safety actions ensures the interlocking can meet its worst-case reaction time. 1000 cycles validates statistical reliability of the chain. | Test | verification, system-level, safety, session-311, idempotency:ver-system-e2e-safety-chain-311 |
| VER-TEST-087 | Verify SYS-REQS-FUNC-009: Install AWS permanent magnets and TPWS track-mounted loops at 10 test signal locations. Run 100 test train passes per signal with TPWS-equipped test vehicle. Confirm AWS horn sounds at every approach, TPWS Overspeed Sensor System triggers at speeds exceeding threshold by 3 km/h, and TPWS Train Stop System applies brakes within 1 second of passing signal at danger. Concurrently verify ETCS MA delivery is unaffected by AWS/TPWS equipment presence. Pass criteria: 99.9 percent intervention rate across 1000 test demands, zero interference with ETCS operation. Rationale: AWS/TPWS intervention reliability must be demonstrated by statistical testing across multiple signal locations to account for installation variation. The 1000-demand test programme provides 95 percent confidence for the 99.9 percent reliability claim per IEC 61508 statistical testing requirements. | Test | verification, aws-tpws, validation, session-313 |
| VER-TEST-088 | Verify SYS-REQS-FUNC-011: Simulate total CBI failure by disconnecting the Vital Processing Unit from the signalling network. Measure time from failure detection to degraded-mode indication on signaller workstation. Verify signaller can release individual track sections for verbal authorisation within the 60-second target. Execute 4 train movements per hour through the degraded area using Rule Book Module TW1 procedures. Confirm all safety interlocks prevent inadvertent release of occupied sections. Pass criteria: degraded indication within 60 seconds, 4 trains per hour achieved without safety violation, no occupied section released. Rationale: Degraded mode transition must be demonstrated end-to-end including human operator procedures because the 60-second target includes signaller recognition and mode selection time, not just system response. The 4 trains per hour throughput test validates operational viability under degraded conditions. | Demonstration | verification, degraded-mode, validation, session-313 |
| VER-TEST-089 | Verify SYS-REQS-FUNC-012: Generate simultaneous state changes across all subsystems at peak rate of 500 events per second for 24 hours. After test period, retrieve and verify records for 100 randomly sampled events across CBI, train detection, ETCS, level crossing, and points subsystems. Confirm all events are recorded with correct UTC timestamps within 1ms of source timestamp. Attempt record modification to verify tamper-evidence mechanism. After 6 months retention test, confirm oldest records remain accessible. Simulate RAIB data request and measure retrieval time. Pass criteria: zero event loss, timestamp accuracy within 1ms, tamper detection functional, 6-month retention verified, retrieval within 4 hours. Rationale: Event recording must be verified at peak load across all subsystems simultaneously because event storms during major failures are exactly when complete recording is most critical. The 24-hour sustained test validates storage capacity. The 6-month retention test validates long-term data integrity. | Test | verification, recording, validation, session-313 |
| VER-TEST-090 | Verify SYS-REQS-FUNC-013: Apply a temporary speed restriction of 40 km/h to a test section. Verify lineside signal approach aspects are reduced per RT/E/S/11201 within one signal update cycle. Verify ETCS movement authority includes the speed restriction in the MA speed profile sent to test trains. Verify signaller workstation displays TSR location, speed limit, and remaining duration. Remove the TSR and verify normal aspects and MA speed profiles are restored. Test with 5 concurrent TSRs across different sections. Pass criteria: correct approach aspects within 500ms, ETCS MA includes restriction within 2 seconds, display shows all active TSRs accurately, removal restores normal operation within one update cycle. Rationale: TSR management must be verified for both lineside and ETCS paths simultaneously because a mismatch between lineside indication and ETCS MA speed profile would create hazardous inconsistency. The 5-concurrent-TSR test validates the system under realistic operational load since major possessions often impose multiple simultaneous restrictions. | Test | verification, tsr, validation, session-313 |
flowchart TB n0["component<br>Vital Processing Unit"] n1["component<br>Object Controller"] n2["component<br>Interlocking Application Data"] n3["component<br>Communication Gateway"] n4["component<br>Engineering and Maintenance Terminal"] n0 -->|Vital commands / field status| n1 n2 -.->|Route/control tables| n0 n0 -->|Route state / MA data| n3 n3 -->|Route requests / coordination| n0 n4 -->|Diagnostics / data load| n0
Computer-Based Interlocking — Internal
flowchart TB n0["component<br>Audio-Frequency Track Circuit"] n1["component<br>Wheel Sensor"] n2["component<br>Axle Counter Evaluator"] n3["component<br>Train Detection Data Concentrator"] n1 -->|Analogue pulse signals| n2 n0 -->|Occupied/clear relay status| n3 n2 -->|Section occupancy via RS-485| n3
Train Detection Subsystem — Internal
flowchart TB n0["SIL 4 MA computation<br>RBC Application Server"] n1["SIL 4 safe messaging<br>Euroradio Safe Comm Layer"] n2["Radio bearer<br>GSM-R Radio Interface"] n3["SIL 4 interlocking link<br>RBC-CBI Interface Gateway"] n4["RBC-RBC handover<br>RBC Handover Controller"] n5["Event logging<br>Juridical Recording Unit"] n3 -->|Route status, track occupancy| n0 n0 -->|MA messages, ETCS packets| n1 n1 -->|Authenticated messages| n2 n0 -->|Train state, boundary data| n4 n4 -->|RBC-RBC handover msgs| n1 n0 -->|All operational events| n5
ETCS Radio Block Centre — Internal
flowchart TB n0["SIL 4 sequencer<br>Level Crossing Controller"] n1["Visual warning<br>Road Traffic Signal Assembly"] n2["Electromechanical<br>Barrier Drive Mechanism"] n3["IR + Radar sensor<br>Obstacle Detection System"] n4["Sound emitter<br>Audible Warning Device"] n0 -->|Signal commands| n1 n0 -->|Barrier raise/lower| n2 n0 -->|Alarm on/off| n4 n3 -->|Obstacle status| n0 n2 -->|Position feedback| n0
Level Crossing Protection System — Internal
flowchart TB n0["electronics<br>Signal Aspect Driver"] n1["optoelectronics<br>LED Signal Module"] n2["assembly<br>Multi-Aspect Signal Head"] n3["safety-monitor<br>Signal Proving and Monitoring Unit"] n4["display<br>Junction Route Indicator"] n0 -->|24VDC drive current| n1 n0 -->|Route drive data| n4 n1 -->|Aspect modules| n2 n3 -->|Current monitoring| n1 n3 -->|Failsafe override| n0
Colour-Light Signalling Output — Internal
flowchart TB n0["component<br>Signalling Power Feeder"] n1["component<br>Signalling UPS"] n2["component<br>Power Distribution Panel"] n3["component<br>Track Circuit Power Feed"] n4["component<br>Monitoring Controller"] n0 -->|Mains AC| n1 n0 -->|Direct feed bypass| n2 n1 -->|Conditioned AC| n2 n2 -->|110V AC vital| n3 n4 -.->|Status monitor| n0 n4 -.->|Battery health| n1 n4 -.->|Circuit status| n2
Signalling Power Supply System — Internal
flowchart TB n0["component<br>Condition Monitoring Server"] n1["component<br>Event Logger and Replay Unit"] n2["component<br>Remote Diagnostic Gateway"] n3["component<br>Alarm Management Processor"] n0 -->|Event data feed| n1 n0 -->|Maintenance alarms| n3 n3 -->|Raw alarm stream| n0 n2 -.->|Remote read access| n0
Signalling Diagnostic and Monitoring System — Internal
flowchart TB n0["component<br>Track Diagram Display Processor"] n1["component<br>Route Setting and Command Interface"] n2["component<br>Alarm Display and Management Panel"] n3["component<br>Workstation Redundancy Controller"] n4["component<br>Signaller Authentication and Access Control Module"]
Signaller Workstation — Internal
flowchart TB n0["component<br>Automatic Route Setting Engine"] n1["component<br>Timetable and Train Graph Processor"] n2["component<br>Conflict Detection and Resolution Module"] n3["component<br>Train Describer and Berth Management"] n4["component<br>TMS-CBI Interface Gateway"]
Traffic Management System — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Alarm Display and Management Panel | 54FD7A58 | Alarm presentation and management HMI component integrated into the signaller workstation. Receives rationalised alarms from the Alarm Management Processor via the signalling data network. Displays alarms in priority-sorted list with colour coding (red=safety, amber=operational, blue=maintenance). Provides alarm acknowledgement, shelving, and filtering functions. Implements alarm flood management — suppresses cascade alarms during major failures and presents root-cause summary. Audible annunciation for unacknowledged safety alarms. Displays alarm history with search and filter. Must present new alarms within 1 second of receipt. Compliant with EEMUA 191 alarm management guidelines for control room displays. |
| Alarm Management Processor | 51F77A58 | Dedicated processor that receives raw alarm streams from all signalling subsystems, applies alarm rationalisation rules (suppression, shelving, grouping, prioritisation) per EEMUA 191 alarm management guidelines. Reduces alarm floods during cascade failures by correlating root-cause alarms. Outputs prioritised alarm list to Signaller Workstation displays and routes maintenance-level alarms to the Condition Monitoring Server. Maintains alarm history database with acknowledgement timestamps and operator response actions. |
| Audio-Frequency Track Circuit | 54E57018 | Jointless audio-frequency track circuit equipment (transmitter-receiver pairs) for continuous rail vehicle detection on main running lines. Operating frequency range 1.5-2.6 kHz (TI21/FS2500 type). Transmitter injects coded AC signal through running rails; receiver detects impedance drop when train axle shunts the circuit. No insulated rail joints required — frequency separation isolates adjacent sections. Fail-safe: loss of received signal = occupied. Detection sensitivity: 0.06 ohm shunting resistance. Outdoor trackside installation in hostile EMI environment near AC traction systems. |
| Automatic Route Setting Engine | 51B67B18 | Decision engine within a railway Traffic Management System that automatically requests routes from the Computer-Based Interlocking based on timetable data and real-time train positions. Compares planned train paths (from imported timetable) against current track occupation and train describer berth data. Issues route-setting commands to the CBI 2-4 minutes before a train requires access, optimising junction capacity by sequencing conflicting routes. Supports automatic regulation decisions (hold, re-route, re-order) when trains deviate from timetable. Non-vital system — all route requests are validated by the CBI interlocking logic before execution. Handles up to 500 trains simultaneously across a regional control area. Interfaces with the signaller workstation for manual override and conflict resolution. |
| AWS/TPWS Train Protection Equipment | D7E77859 | Combined Automatic Warning System and Train Protection and Warning System trackside equipment for UK mainline railway signalling. AWS comprises a permanent magnet installed between the rails 180m before each signal, which triggers an audible warning in the cab via an electromagnetic receiver on the train. TPWS comprises two elements: the Overspeed Sensor System, a pair of track-mounted inductive loops 50m apart before each signal that detects trains exceeding the approach speed threshold, and the Train Stop System, a single loop at the signal itself that triggers emergency braking if the train passes a signal at danger. TPWS operates independently of the driver and CBI, providing a last-resort safety barrier with target intervention speed of 75 mph. SIL 2 integrity for AWS, SIL 4 for TPWS train stop function. Must coexist with ETCS balise groups without electromagnetic interference. |
| Axle Counter Evaluator | 50B57018 | Central safety processing unit for the axle counting subsystem. Receives pulse signals from paired wheel sensor heads at track section boundaries, counts axle entries and exits per section, and determines occupancy by difference. Dual-channel (2oo2D) architecture with diverse hardware for SIL 4 compliance per EN 50129. Manages up to 24 counting points (48 sensor heads). Fail-safe: any counting discrepancy or communication loss forces section to 'occupied' state. Provides reset functionality requiring manual confirmation for count error recovery. Indoor installation in signalling equipment room. Interface to Train Detection Data Concentrator via RS-485 vital serial link. |
| Barrier Drive Mechanism | D6F51018 | Electromechanical barrier drive unit for railway level crossing half-barriers. DC motor-driven with worm gear reduction providing self-locking in any position. Barrier descent time 6-10 seconds configurable. Barrier rise time 4-8 seconds. Torque-limited to prevent injury (maximum 150 Nm at barrier tip). Position sensing via rotary encoder and limit switches at fully raised and fully lowered positions. Emergency manual release for road user entrapment. IP55 rated for outdoor installation. Operating temperature -25C to +55C. |
| Colour-Light Signalling Output | D4F5F858 | Lineside signal units displaying 2-aspect (red/green), 3-aspect (red/yellow/green), or 4-aspect (red/yellow/double-yellow/green) indications to train drivers. Modern multi-LED signal heads with individual LED monitoring for lamp-proved feedback to interlocking. Signal current detection confirms signal is displaying commanded aspect — any discrepancy triggers immediate red-revert. Junction indicator (feather) routes with 5-white-light arrays. Controlled via fail-safe relay or solid-state output from interlocking. Designed for outdoor mounting on posts or gantries, visible at >1000m in clear conditions. Includes approach-lighting to conserve LED life. |
| Computer-Based Interlocking | 51F77A58 | SIL 4 vital safety processor implementing route-locking and conflict-prevention logic for a mainline railway signalling system. Receives train detection data (track circuit states, axle counter counts) and operator route requests. Computes safe signal aspects and point positions by evaluating interlocking tables that encode all permissible route combinations. Outputs include signal commands, point drive commands, and level crossing activation triggers. Dual-redundant 2oo2 architecture with continuous self-checking. Must achieve <10^-9/h wrong-side failure rate. Response time <500ms from detection input to output command. Operates in indoor equipment rooms with conditioned power. |
| Condition Monitoring Server | 51B53218 | Central server aggregating real-time health data from all signalling subsystems (interlocking, track circuits, points, signals, communications, power supply) via multiple protocols (Modbus TCP, SNMP, OPC UA, proprietary serial). Runs predictive maintenance algorithms analysing trend data to forecast component degradation. Stores 12 months of rolling operational data for post-incident analysis and reliability reporting. Redundant server pair in active-standby configuration with automatic failover. Located in equipment room with connection to Wide Area Network for remote access. |
| Conflict Detection and Resolution Module | 51FC7B08 | Algorithmic conflict prediction engine within a railway Traffic Management System. Continuously analyses train running data and timetable to detect future path conflicts at junctions, crossovers, and single-line sections. Looks ahead 15-30 minutes using current train speeds and planned stopping patterns. When a conflict is detected, evaluates regulation options (re-order, hold, re-route, reduce dwell) and recommends the option that minimises total delay across all affected services. Uses weighted objective function considering train priority (express vs stopping), connection protection, and overall network delay propagation. Presents conflict alerts and recommended resolutions to the signaller for approval or manual override. Non-safety-critical — operates on predicted paths only, not on actual interlocking commands. |
| Cybersecurity Boundary Gateway | D1B77858 | Industrial firewall and network segmentation appliance implementing the demilitarized zone between the safety-critical signalling network (Zone 1 per TS 50701) and non-vital networks including traffic management system, diagnostic system, and corporate IT network. Enforces strict unidirectional or controlled bidirectional data flow policies. Deep packet inspection for signalling protocols with allowlisting of permitted message types. Intrusion detection system monitoring for anomalous traffic patterns. Dual-redundant with stateful failover. Must not introduce more than 1ms additional latency on permitted traffic flows. Rack-mounted in the signalling equipment room. |
| diesel generator | D6C41019 | Backup power generator for a railway signalling system, providing emergency power during mains failure |
| Electro-Hydraulic Point Machine | DFF51018 | Clamp-lock electro-hydraulic actuator for railway switches/turnouts. Contains a 3-phase AC motor driving a hydraulic pump, which pressurises a cylinder to move switch blades between normal and reverse positions. Locking is achieved by hydraulic clamping with mechanical backup. Typical throw stroke 143-220mm, throw force 4.5-7.5kN, operating time 3-8 seconds depending on switch length. Must operate reliably from -40°C to +70°C in exposed trackside environments. Installed at each switch/turnout on the controlled infrastructure. SIL 4 safety function: must not move blades while train is traversing, must lock positively in detected position. Key types include Alstom Hy-Drive P80, Siemens S700K, Vossloh BISI. |
| Engineering and Maintenance Terminal | 508C3218 | Non-vital workstation providing controlled access to the Computer-Based Interlocking for maintenance, testing, and configuration. Supports data loading (uploading new Interlocking Application Data after validation), diagnostic readout (VPU health, channel comparison status, watchdog timers), and controlled test mode enabling individual object stimulation for commissioning. Connected to VPU via a physically separate non-vital Ethernet port with role-based access control. All actions are logged with timestamp, operator ID, and action type. Used during planned possessions (track closures) for commissioning and fault investigation. Does not carry safety-critical data in operation. |
| ETCS Radio Block Centre | 51E57A58 | Core network-side component of ETCS Level 2 providing continuous cab signalling for mainline railway operations. Receives train position reports via GSM-R radio link, computes movement authorities (MA) based on interlocking route status and preceding train positions, and transmits MA, speed profile, and gradient data to on-board ETCS equipment (EVC). Interfaces with interlocking via standardised protocol for route status. Manages track description data (national values, speed restrictions, gradient profiles) stored in engineering databases. Handles up to 60 trains simultaneously with <2s MA computation latency. Eurobalise transponders provide fixed reference points for position calibration. SIL 4 for MA computation, SIL 2 for non-vital functions. |
| Euroradio Safe Communication Layer | 40B57958 | Safety communication layer implementing SUBSET-037 and SUBSET-098 for authenticated integrity-protected message exchange between ETCS Radio Block Centre and onboard equipment. Provides SIL 4 end-to-end safety on unreliable GSM-R bearer. Uses 3DES/AES-128 session keys from K-KMC authentication. Implements sequence numbering, timestamp validation, T_NVCONTACT timeout monitoring, and message integrity codes. Handles session establishment, maintenance, and safe disconnection. Supports 60 concurrent train sessions. Latency budget under 500ms one-way. |
| Event Logger and Replay Unit | 50A57258 | SIL2 tamper-evident event recording system that captures all signalling state changes, operator commands, alarm events, and interlocking decisions with GPS-synchronised timestamps at 1ms resolution. Records to dual redundant non-volatile storage (RAID-1 SSD) with minimum 90-day retention. Provides incident replay functionality for post-incident investigation by signalling engineers and RAIB inspectors. Data format compliant with Network Rail standard NR/L2/SIGP/10201 for signalling event recording. |
| GSM-R Radio Interface Module | D0F47018 | Non-vital radio network interface providing GSM-R bearer connectivity between ETCS Radio Block Centre and train-borne equipment. Interfaces with GSM-R Mobile Switching Centre via E1/IP trunks. Supports circuit-switched data at 9.6 kbps and GPRS packet-switched fallback. Manages radio session setup, handover between base stations, and emergency group calls. Handles 60 simultaneous radio sessions with under 200ms call setup time. Future interface provision for FRMCS migration over 5G. |
| Interlocking Application Data | 40853950 | Safety-validated geographic and control table data encoding the specific junction or station layout for a Computer-Based Interlocking. Contains route tables (origin signal, destination, points in route, overlap, flank protection), control tables (conditional approach control, sequential release timers), and element configuration (signal aspect sequences, point detection timeouts). Generated from signalling design schematics using certified data preparation tools and independently verified per EN 50128 SIL 4. Loaded as read-only dataset into VPU — any modification requires full re-validation. |
| Interlocking Communication Gateway | 50E57858 | Safety-certified communication interface module within the Computer-Based Interlocking, handling all external data exchange with adjacent interlockings, ETCS Radio Block Centre, Traffic Management System, and Signaller Workstation. Implements EN 50159 safety communication layers with cryptographic message authentication, sequence numbering, and timeout supervision. Manages multiple concurrent protocol sessions: proprietary vital link to adjacent CBIs for route-locking coordination, RaSTA (Rail Safe Transport Application) to ETCS RBC for movement authority data, and non-vital TCP/IP to TMS for route request/confirmation. Throughput: handles up to 200 messages/second with <50ms latency for vital links. |
| Junction Route Indicator | D4F47850 | Supplementary route indication display mounted below or alongside a main railway colour-light signal at junctions. Two common types in UK practice: (1) Multi-lamp feather indicator using 5 fibre-optic or LED position lights arranged in diagonal rows, each row indicating a diverging route direction; (2) Theatre-type alphanumeric matrix display using LED dot matrix to show route letters/numbers for complex junctions with more than 5 routes. Driven by separate route data from the CBI Object Controller independent of the main aspect command. Must illuminate within 500ms of route being set and locked. Only illuminated when a proceed aspect is displayed — extinguished when signal shows danger. SIL4 integrity for correct route/aspect correlation. Visibility requirement: 200m minimum in daylight conditions. |
| Juridical Recording Unit | 40843358 | Non-vital recording and logging unit capturing all ETCS Radio Block Centre operational decisions for post-incident analysis and regulatory compliance. Records all movement authority computations, train position reports, session establishments, emergency messages, and system state transitions with UTC timestamps at 1ms resolution. Stores data on redundant non-volatile media with minimum 90-day retention. Tamper-evident logging with cryptographic chain of custody. Data export via standardised interface for accident investigation authorities per EU directive 2016/798. Storage capacity for 500,000 events. |
| LED Signal Module | D6C55058 | Individual LED-based lamp unit fitted into each aspect position of a railway colour-light signal head. Contains array of high-intensity LEDs (typically 50-70 per module) arranged in redundant strings with individual current regulation. Produces monochromatic output: red (625nm), yellow (590nm), or green (505nm) per Railway Group Standard. Built-in monitoring outputs provide current feedback per LED string to the Signal Proving Unit. Designed for 100,000-hour MTBF with graceful degradation — signal remains visible with up to 30% LED string failure. Operates at 24VDC nominal from Signal Aspect Driver. Replaces older sealed-beam filament units while maintaining the same optical beam pattern and luminous intensity (>200cd for red, >300cd for green). |
| Level Crossing Audible Warning Device | D5D77A58 | Electronic audible warning device generating 2.5 kHz tone at 90 dBA at 1m distance for alerting road users to approaching trains at railway level crossings. Dual speakers for redundancy. Self-monitoring with fault detection reporting to Level Crossing Controller. Timed operation: sounds for fixed duration during barrier descent sequence, silences after barriers fully lowered to reduce noise impact on nearby residents. Environmental rating IP66. Compliant with BS EN 50556. |
| Level Crossing Controller | 51F77A78 | SIL 4 safety-critical controller managing the sequencing of road traffic signals, barriers, and audible warnings at railway level crossings. Receives approach trigger from CBI or track circuits indicating train approaching. Executes fixed protection sequence: activate road warning lights, sound audible alarm, lower half-barriers (if fitted), confirm protection complete to CBI. Monitors barrier position via limit switches. Handles obstacle detection sensor input. Fail-safe design: any component failure results in crossing remaining or returning to protected state. Interfaces with CBI via EN 50159 safe link. Manages crossing types MCB (manually controlled barrier), AOCL (automatic open crossing locally monitored), and AHB (automatic half barrier). |
| Level Crossing Obstacle Detection System | 55F77A19 | Scanning infrared and radar-based obstacle detection system monitoring the level crossing deck area for vehicles, pedestrians, or objects that have not cleared the crossing before barrier descent. Dual-technology (IR + radar) for weather resilience. Scans crossing area every 200ms. Detection zone covers full road width plus 1m either side. Must detect objects above 0.5m height. Interfaces with Level Crossing Controller to inhibit barrier descent or trigger crossing alarm if obstacle detected. False positive rate below 1 per 1000 crossings to prevent unnecessary traffic disruption. |
| Level Crossing Protection System | 55F77A59 | Automatic half-barrier level crossing (AHBC) system protecting road/rail intersections. Approach detection triggers sequence: road traffic lights amber then red, audible warnings activate, half-barriers descend. Full sequence time 27-32 seconds depending on approach speed. Barrier mechanism: electric motor with spring-return fail-safe (barriers descend on power loss). CCTV monitoring for operator-controlled crossings (MCB-OD type). Road traffic signals integrated with highway authority traffic management. Obstacle detection via radar or lidar for full-barrier crossings. Interfaces with interlocking for route-locking — no route set over crossing until barriers proven down. SIL 4 for crossing activation logic. |
| Lineside Transmission Multiplexer | D0E57018 | Time-division multiplexer or MPLS-TP node providing deterministic communication between lineside location cabinets and the signalling equipment room over fiber-optic trunk cables. Aggregates multiple low-bandwidth copper circuits from trackside equipment (signals, points, track circuits) onto high-capacity fiber links spanning 2-50km. Must maintain link availability >99.999% with automatic protection switching <50ms on fiber path failure. Operating in outdoor or semi-sheltered lineside cabinets exposed to temperature extremes (-25°C to +70°C), electromagnetic interference from traction current, and humidity. |
| Multi-Aspect Signal Head | DEC57058 | Physical signal head assembly for mainline railway colour-light signalling. Houses 2, 3, or 4 LED signal modules in vertical configuration displaying Red, Yellow, Double Yellow, and Green aspects per UK four-aspect signalling rules. Includes polycarbonate lenses with anti-phantom hoods to prevent sun phantom, background contrast boards, and IP66-rated enclosure for lineside installation. Mounted on signal posts, gantries, or platform-end brackets at heights of 2.5-6m above rail level. Must maintain aspect visibility at >1000m sighting distance in all ambient light conditions including direct sunlight. SIL4 safety integrity for aspect display correctness. |
| Network Diagnostic and Monitoring Agent | 55E67308 | SNMP v3-based network health monitoring system collecting real-time link status, forwarding latency, packet loss rates, bandwidth utilization, and error counters from all network switches, multiplexers, and gateways. Generates alarms for link degradation exceeding thresholds (e.g., packet loss >0.001%, latency >1ms). Maintains 90-day rolling log of network performance metrics. Feeds consolidated network health data to the Signalling Diagnostic and Monitoring System via a non-vital interface. Runs on a dedicated monitoring server in the SER with web-based dashboard for maintenance staff. |
| Network Time Distribution Server | 54F77218 | IEEE 1588v2 Precision Time Protocol grandmaster clock with GPS/GNSS-disciplined oscillator providing sub-microsecond time synchronization across the signalling communication network. Distributes UTC time to all network endpoints for juridical recording timestamps, event correlation, and diagnostic analysis. Dual-redundant configuration with automatic failover to backup grandmaster. GNSS receiver with multi-constellation support (GPS+Galileo) and spoofing detection. Holdover stability of ±1 microsecond over 24 hours using rubidium oscillator backup when GNSS signal is lost. |
| Object Controller | D0F57018 | Distributed safety-certified I/O module forming the interface between the Vital Processing Unit and trackside field equipment in a railway interlocking. Each Object Controller manages a geographic group of 8-16 field objects: signals, point machines, track circuit receivers, and axle counter evaluators. Communicates with VPU over safety-layer protocol (EN 50159 Category 3 over Ethernet). Performs output driving with read-back verification and input conditioning with debounce and validity checking. Installed in trackside location cases, operating -25C to +70C. MTBF target >100,000 hours. |
| Point Drive Controller | D0F57018 | Trackside electronics module that interfaces between the CBI Object Controller and the point machine. Receives throw commands (normal/reverse) and returns detection status (detected normal, detected reverse, not detected, in transit). Sequences 3-phase power to the point machine motor, monitors motor current draw for obstruction detection (current signature analysis), implements throw timeout supervision, and provides local diagnostic data logging. Typically housed in a sealed trackside equipment case (IP65+). Must handle power supply variations ±20% and provide brown-out protection. SIL 4 for detection reporting; SIL 2 for drive sequencing. Key interface: 2-wire or 4-wire vital circuit to Object Controller. |
| Point Heating System | 54F73218 | Electric resistance heating elements installed along switch rails and slide chairs to prevent ice and snow accumulation impeding blade movement. 2-5kW per switch, controlled by point heating controller activated by ambient temperature (<3°C), humidity (>80%), and precipitation sensors. Two modes: pre-emptive continuous low-power and reactive full-power. Total power demand 50-200kW per junction area. Must not interfere with track circuit operation — heating current isolated from signalling rails. SCADA interface for energy monitoring. |
| Point Position Detection Assembly | 54E17018 | Independent electro-mechanical detection system that proves railway switch blade position. Uses detection rods mechanically coupled to switch blades, driving either LVDT (Linear Variable Differential Transformer) displacement sensors or cam-operated vital contacts. Provides two independent detection channels: one for normal position, one for reverse position. Detection must be continuous and fail-safe — loss of detection signal must be interpreted as 'not detected' (points not proven). Detection tolerance typically ±2mm from nominal blade position. Must discriminate between fully seated and incompletely seated blades to prevent trains traversing partially-set points. Interfaces to Point Drive Controller via dedicated detection circuits. |
| Points and Crossing Drive System | D7F53018 | Electro-mechanical or electro-hydraulic point machines actuating railway switch blades and moveable crossings. Clamp-lock point machines (e.g., HW2000 or Alstom equivalents) providing 220mm throw with detection via internal contacts confirming both normal and reverse positions. Detection must be fail-safe: loss of detection forces interlocking to treat points as undetected (no route over). Drive time typically 3-6 seconds. Point heating systems prevent freezing in winter conditions. Interfaces: 110VDC or 3-phase AC power, discrete I/O to interlocking for drive commands and detection feedback. Must operate reliably in −40°C to +70°C trackside environment with ballast vibration and water ingress protection to IP67. |
| Power Supply Monitoring and Switchover Controller | 55F77A18 | SIL2 controller that continuously monitors mains supply status, UPS health, battery voltage and temperature, and manages automatic switchover between primary and backup power sources. Reports power system status and alarms to the Signalling Diagnostic and Monitoring System via Modbus TCP. Manages load-shedding of non-vital circuits when operating on battery backup to extend vital supply runtime. Records all power events with millisecond timestamps for post-incident analysis. |
| Railway Signalling System | 50F77A59 | A mainline railway signalling system conforming to CENELEC EN 50126/50128/50129 standards, responsible for the safe regulation of train movements across a multi-line railway corridor. The system controls signal aspects (red/yellow/green), points/switch machines, level crossings, and train detection using track circuits and axle counters. It implements vital interlocking logic (SIL 4) to prevent conflicting movements, integrates with the European Train Control System (ETCS Level 2) for continuous cab signalling, and provides centralised traffic management via a control centre. Operating environment spans outdoor trackside equipment (−40°C to +70°C, rain, vibration, EMI from traction current), indoor interlocking rooms, and control centre facilities. Key constraints: 10^−9/h tolerable hazard rate for wrong-side failures, 99.99% availability, <2s signal command latency, fail-safe design philosophy throughout. |
| RaSTA Protocol Stack | 40B57B58 | Software implementation of the Rail Safe Transport Application protocol per EN 50159 Category 3, executing on signalling network endpoints. Provides safety-critical authenticated peer-to-peer communication over IP networks with MD4/CRC message authentication codes, sequence number checking, timestamp validation, and configurable timeout monitoring (Tmax typically 500ms-2s). Runs as middleware between the application layer (interlocking logic, RBC logic) and the transport layer (TCP/IP). Must detect and report all communication errors within the safety integrity time interval. Certified to SIL4 for vital data exchange between interlocking and field controllers. |
| RBC Application Server | 50F57A58 | SIL 4 safety-critical application server implementing ETCS Level 2/3 movement authority (MA) computation per SUBSET-026 v3.6.0. Receives route status, point positions, and track occupancy from the Computer-Based Interlocking via a safe communication link. Computes continuous movement authorities including end-of-authority, speed profiles, gradient profiles, and mode transitions. Outputs MAs to onboard ETCS equipment via the Euroradio safe communication layer. Processes position reports from trains at minimum 5-second intervals. Manages up to 60 simultaneous train connections. 2oo2 architecture with hot standby for availability. Operating environment: indoor equipment room, 0-40°C, controlled humidity. |
| RBC Handover Controller | 51B57A78 | Safety-critical controller managing train handover between adjacent Radio Block Centres at RBC boundary areas. Implements SUBSET-026 RBC/RBC handover protocol including coordinated session transfer, movement authority boundary management, and safe transition of train supervision responsibility. Exchanges RBC-to-RBC messages via safe IP link per SUBSET-098. Maintains handover state machine for each train approaching boundary. Must complete handover within 5 seconds to avoid unnecessary service braking. Handles up to 10 concurrent handovers. |
| RBC-CBI Interface Gateway | 50E57058 | Safety-critical interface gateway providing bidirectional communication between ETCS Radio Block Centre and Computer-Based Interlocking. Receives route status, point positions, track occupancy, and signal aspect data from CBI. Transmits ETCS train position reports and MA acknowledgments back to CBI. Implements EN 50159 Category 3 safe communication protocol with authentication and sequence protection. Redundant dual-channel configuration matching CBI and RBC redundancy architectures. Message latency under 100ms end-to-end. |
| Remote Diagnostic Gateway | 50857958 | Secure network gateway providing authenticated remote access to signalling diagnostic data from the Railway Operating Centre or maintainer laptops via the signalling WAN. Implements role-based access control with multi-factor authentication. All remote sessions are logged and auditable. Enforces read-only access for remote users — no remote control of signalling equipment. Firewall rules restrict access to diagnostic data only, with no path to safety-critical interlocking networks. Compliant with NR/L2/CYB/27009 railway cybersecurity standard. |
| Road Traffic Signal Assembly | D6D57858 | Fail-safe road traffic signal unit at level crossings comprising twin red flashing lights, amber steady aspect, and LED array. Red lights flash alternately at 1 Hz. Must achieve minimum 200 candela luminous intensity for visibility at 100m in bright sunlight. LED technology with individual LED failure detection. Power supply monitoring with automatic switch to battery backup. Environmental rating IP67 for outdoor trackside installation. Conforms to Railway Group Standard RT/E/S/17031. |
| Route Setting and Command Interface | 50ED7A18 | Touchscreen and trackball-based operator input subsystem for railway signaller workstations. Provides route-setting functionality via point-and-click on signal/route icons on the track diagram. Implements 2-click route setting (entrance signal → exit signal) with visual confirmation feedback. Handles emergency controls (signal replacement, track release, points local control authorisation). All safety-critical commands require confirmation dialogue before transmission to CBI. Supports keyboard shortcuts for experienced signallers. Must process operator inputs within 200ms and provide visual acknowledgement. Generates audit trail of all operator actions with timestamps for juridical recording. |
| Safety-Critical Data Network Switch | D4A57058 | SIL2-rated managed Ethernet switches implementing Parallel Redundancy Protocol (PRP) per IEC 62439-3 for zero-recovery-time failover. Dual-redundant Layer 2 switches forming the backbone between CBI, train detection system, ETCS RBC, and points controllers in the signalling equipment room. Each switch supports 24+ Gigabit Ethernet ports with deterministic forwarding latency <10 microseconds. Operating in temperature-controlled SER environment, powered by dual redundant DC supplies. Handles safety-critical interlocking commands, track occupancy data, and movement authorities with guaranteed delivery. |
| Signal Aspect Driver | 54F57818 | Electronics board receiving digital aspect commands from the Computer-Based Interlocking Object Controller and converting them to appropriate LED lamp drive currents for a railway colour-light signal. Receives commanded aspect via vital digital I/O or RS-485 serial link from the Object Controller. Implements aspect sequencing rules preventing prohibited transitions (e.g., direct green-to-red without passing through yellow on 4-aspect signals). Drives LED Signal Modules at regulated 24VDC with precision current control. Incorporates failsafe design: loss of command input or power causes default to most restrictive aspect (red) via de-energised relay. Provides feedback to Signal Proving Unit and diagnostic telemetry. Operating temperature range -25°C to +70°C for trackside location controller enclosure. |
| Signal Proving and Monitoring Unit | 54F57858 | SIL4 safety-critical monitoring circuit that continuously verifies correct operation of each LED Signal Module in a railway colour-light signal. Monitors drive current and light output of every aspect lamp. Primary safety function: if a proceed-aspect lamp (green, yellow, or double yellow) fails or degrades below minimum luminous intensity threshold, the unit forces the signal to display its most restrictive aspect (red) via hardware failsafe relay. For red lamp failure, triggers alarm but does not change aspect (already most restrictive). Reports lamp status, degradation level, and failure mode to the Signalling Diagnostic and Monitoring System via serial diagnostic interface. Implements EN 50129 SIL4 requirements with 2oo2 comparison architecture for failsafe detection. Power supply: 24VDC from lineside power distribution. |
| Signaller Authentication and Access Control Module | 40B57B79 | Role-based access control system for signaller workstations in railway control rooms. Authenticates signallers via smart card plus PIN before granting control access. Implements role hierarchy: Signaller (route setting, alarm acknowledgement), Supervisor (degraded mode authorisation, emergency controls), Maintainer (diagnostic access, test functions). Controls which geographical areas each signaller can command based on area-of-control assignments. Logs all authentication events with timestamps. Enforces automatic screen lock after 5 minutes of inactivity while maintaining display-only mode. Integrates with centralised identity management system. Must not prevent emergency controls during authentication system failures — falls back to physical key override. |
| Signaller Workstation | D4ED7818 | Human-machine interface for railway signallers providing geographical overview display of controlled area, individual control of signals and points, alarm management, and emergency controls. Large-format LCD displays (typically 3-6 screens per workstation) showing stylised geographic track layout with real-time train positions, signal aspects, point positions, and track circuit states. ARS integration allows signaller to monitor automatic operation and intervene when needed. Touch-screen or trackball input with deliberate-action controls (two-step for safety-critical commands). Emergency plunger for immediate red-signal-all. Ergonomically designed for 12-hour shift operation. SIL 0 for display, SIL 2 for safety-critical control outputs. |
| Signalling Communication Network | 40E57018 | Redundant data communication network interconnecting all signalling subsystems across a railway corridor. Dual-ring fibre optic backbone with automatic failover (<50ms switchover). Carries vital interlocking data between distributed interlocking nodes and between interlocking and RBC, using safety-certified protocols (e.g., EULYNX-compliant SFCP or RaSTA). Also carries non-vital traffic management, diagnostic, and CCTV data on logically separated VLANs. GSM-R radio network segment provides train-to-trackside voice and ETCS data communication. Cybersecurity hardened with network segmentation, intrusion detection, and encryption. Bandwidth provisioned for future FRMCS migration. Must maintain 99.999% availability across the corridor. |
| Signalling Diagnostic and Monitoring System | 54A47318 | Condition monitoring and remote diagnostics system for all signalling assets across the corridor. Collects real-time health data from interlocking, train detection, points, signals, power supplies, and communications. Tracks point machine current profiles to detect degradation (e.g., increasing drive current indicating obstruction or wear). Monitors track circuit rail-voltage trends. Centralised fault logging with time-stamped event recording for incident investigation. Predictive maintenance algorithms flag components approaching failure. Web-based dashboard accessible to maintenance engineers and control centre. Interfaces with maintenance management system for work order generation. Non-vital (SIL 0) — observes but does not command. |
| Signalling Power Distribution Panel | D6A53018 | Central distribution board routing regulated 110V AC and 48V DC power to individual signalling subsystems via dedicated circuit breakers and fuse protection. Per-circuit isolation switches for maintenance. Current monitoring per feeder to detect overloads, earth faults, and cable degradation. Divided into vital (interlocking, track circuits, signals) and non-vital (communications, diagnostics) sections with separate bus bars. |
| Signalling Power Feeder | D4851018 | Primary power intake unit receiving 11kV/650V AC from the national grid or local distribution network, stepping down to 110V AC and 48V DC for signalling loads. Feeds the entire signalling installation via isolating transformers that provide galvanic separation between traction power and signalling power. Located in the equipment room with dual incoming feeds for redundancy. Must maintain power quality to EN 50121-4 EMC standards despite proximity to 25kV AC traction supply. |
| Signalling Power Supply System | 54D71018 | Uninterruptible power supply infrastructure for the railway signalling system. Dual-fed from independent grid transformers with automatic changeover. Battery-backed UPS at each signalling equipment room providing 4-hour autonomy for vital equipment and 2-hour for non-vital under full load. 110VDC vital bus for interlocking outputs (signal and point drives via track-side distribution). 48VDC for communications equipment. 230VAC for workstations and ancillary systems. Power distribution to trackside via lineside cable routes with overcurrent and earth-fault protection. Monitoring of all supply paths with alarm to central control on any single-point-of-failure loss. |
| Signalling Uninterruptible Power Supply | D5F71218 | Battery-backed online double-conversion UPS providing seamless power continuity during mains interruption. Maintains 110V AC output to vital signalling loads (interlocking, track circuits, signals) for minimum 2 hours at full load. VRLA battery bank with individual cell monitoring. Output sinusoidal with less than 3 percent THD to avoid interference with audio-frequency track circuits. SIL2 monitoring of battery state-of-charge and remaining runtime. |
| Swing-Nose Crossing Actuator | D7F53018 | Specialised actuator for movable-nose crossings on high-speed turnouts where the crossing nose gap must be eliminated for speeds above 200 km/h. Nose tip alignment within ±0.5mm. Dedicated hydraulic or electro-mechanical drive with independent nose position detection. Installed only on high-speed turnouts (1:26 or longer geometry). Must synchronise with main point machine — both blades and crossing nose confirmed before route set. SIL 4 for detection; throw time under 6 seconds. |
| Timetable and Train Graph Processor | 40B53358 | Data processing component within a railway Traffic Management System responsible for importing, validating, and managing the working timetable. Imports timetable data from the national timetable system (ITPS/Darwin) in CIF format. Generates train graph (time-distance diagram) for the control area showing planned vs actual train paths. Computes real-time punctuality metrics (PPM, right-time arrival) per train and aggregated by route. Provides timetable perturbation modelling — simulates impact of regulation decisions before they are applied. Maintains a rolling 24-hour window of timetable data with 7-day lookahead for planned possessions and engineering works. |
| TMS-CBI Interface Gateway | 50E47918 | Protocol gateway component within a railway Traffic Management System that manages the bidirectional data interface between the non-vital TMS and the safety-critical Computer-Based Interlocking. Receives route-setting requests from the Automatic Route Setting Engine and translates them into CBI-specific protocol commands. Receives route confirmation/rejection, signal aspect, point position, and track occupation status from the CBI and distributes to TMS components. Implements protocol conversion between TMS application protocol and CBI vendor-specific interface (e.g., Siemens Westrace, Alstom SMARTLOCK). Enforces rate limiting on route-setting requests to prevent CBI overload (maximum 20 route commands per second). Non-vital gateway — the CBI validates all commands independently. Provides store-and-forward buffering during brief CBI communication interruptions (up to 30 seconds). |
| Track Circuit Power Feed Unit | D4D53018 | Specialised power supply generating regulated AC at audio-frequencies (83Hz and 91.5Hz for UK Network Rail audio-frequency jointless track circuits) to energise track circuit transmitters. Each unit feeds multiple track circuits with individually adjustable output levels to compensate for varying rail impedance and track length. Frequency stability within 0.1 percent to prevent cross-talk between adjacent track circuits. Dual-redundant output stages with automatic changeover. |
| Track Diagram Display Processor | 50F57319 | Real-time graphical rendering engine for railway signaller HMI. Receives track occupation, signal aspect, point position, and route status data from the Computer-Based Interlocking via the signalling data network. Renders a geographical schematic diagram showing track sections colour-coded by occupation state (clear/occupied/failed), signal aspects, point positions, and active routes. Updates at ≤500ms refresh cycle. Runs on redundant workstation hardware with automatic failover. Must maintain display accuracy under peak traffic loads of 200+ simultaneous object state changes per second. Safety-related display — incorrect rendering could lead to signaller issuing unsafe commands. |
| traffic light controller | 51F77A58 | A roadside controller managing signal phases for a junction |
| Traffic Management System | 51F47B58 | Centralised traffic management (TMS) providing automated route setting, timetable execution, and real-time traffic regulation for a multi-line railway corridor. Implements ARS (Automatic Route Setting) algorithm that reads timetable, predicts train arrivals, and sends route requests to interlocking at optimal times. Conflict detection and resolution module proposes reordering when delays occur. Real-time train graph display with deviation highlighting. Interfaces with national timetable system for planned schedules and provides actual running data for performance monitoring. Non-vital system (SIL 0) — signaller can always override. Handles up to 500 train movements per shift. |
| Train Describer and Berth Management | 41B77318 | Train identity tracking component within a railway Traffic Management System. Receives train detection events from the CBI and associates them with train identities (headcodes) using automatic berth stepping rules. Maintains a real-time table mapping each train headcode to its current track section (berth). Handles interpose (manual identity assignment), cancel, and step-back operations. Provides train identity data to the Track Diagram Display Processor for display on the signaller workstation, and to the Automatic Route Setting Engine for timetable correlation. Supports ARS interworking by feeding actual train positions back to the routing algorithm. Processes up to 500 concurrent train identities with berth step latency under 500ms. |
| Train Detection Data Concentrator | D0F55058 | Safety-rated data aggregation processor (SIL 4 per EN 50129) that collects occupancy status from all Audio-Frequency Track Circuits and Axle Counter Evaluators across an interlocking area. Normalises heterogeneous detector outputs into a unified digital occupancy table. Provides vital serial interface to the Computer-Based Interlocking Object Controllers. Performs continuous diagnostic monitoring: detects degrading track circuit insulation, intermittent sensor faults, and communication link failures. Generates alarm data for the diagnostic system. Manages up to 128 track sections. Indoor rack-mounted unit in signalling equipment room. Dual-redundant hot-standby configuration with <50ms switchover. |
| Train Detection Subsystem | 54E57018 | Provides real-time train occupancy data to the interlocking. Comprises jointless audio-frequency track circuits (operating at 1.7kHz–2.6kHz) for continuous block occupancy detection, and wheel-sensor axle counters for point-specific detection and confirmation. Track circuits detect broken rails as a secondary safety function. Axle counters provide counting-head pairs at section boundaries with indoor evaluators. Must detect all rail vehicles including lightweight track maintenance machines (>30kg axle load). False-clear failure rate <10^-9/h. Operates in harsh trackside environment: −40°C to +70°C, traction return current interference up to 2000A, rail impedance variations due to weather. |
| Vital Processing Unit | 51F53258 | SIL 4 safety computer at the core of a Computer-Based Interlocking (CBI). Implements 2-out-of-3 (2oo3) voted architecture using three independent processing channels executing identical interlocking logic in lock-step. Each channel runs a cyclic safety kernel at 500ms cycle time, comparing outputs before commanding field equipment. Receives train detection inputs, route requests from TMS/signaller, and computes route-locking, flank protection, overlap management, and signal aspect determination. Designed to CENELEC EN 50129 SIL 4 with a tolerable hazard rate of 10^-9 per hour. Typical implementations: Alstom Smartlock 400, Siemens SIMIS-W, Hitachi HISAC-20. |
| Wheel Sensor | C4C54018 | Rail-mounted inductive proximity sensor pair installed at track section boundaries for axle detection. Each counting point uses two sensor heads spaced 0.5m apart on one rail to determine direction of travel by phase difference. Detects wheel flanges passing through the electromagnetic field. Operating range: all wheel diameters 330-1000mm, speeds 0-500 km/h. Passive (no trackside electronics) — generates analogue pulse signals transmitted to the Axle Counter Evaluator via shielded cable up to 12 km. IP68 rated for permanent outdoor rail-mount installation. Must withstand rail vibration, ballast tamping, and traction current interference. |
| Workstation Redundancy Controller | 51B77208 | Hot-standby management controller for paired signaller workstation installations. Monitors primary workstation health (CPU, memory, display output, network connectivity, application heartbeat) and triggers automatic switchover to standby workstation upon detection of primary failure. Switchover completes within 5 seconds with full state transfer — the standby workstation resumes displaying the identical track diagram state, route indications, and alarm queue. Implements split-brain prevention using heartbeat protocol over dedicated Ethernet link between workstation pairs. Generates diagnostic events for all switchover actions. Supports manual forced switchover for maintenance. Runs on dedicated embedded controller hardware independent of the workstation operating system. |
| Component | Belongs To |
|---|---|
| Computer-Based Interlocking | Railway Signalling System |
| Train Detection Subsystem | Railway Signalling System |
| ETCS Radio Block Centre | Railway Signalling System |
| Colour-Light Signalling Output | Railway Signalling System |
| Points and Crossing Drive System | Railway Signalling System |
| Level Crossing Protection System | Railway Signalling System |
| Traffic Management System | Railway Signalling System |
| Signaller Workstation | Railway Signalling System |
| Signalling Communication Network | Railway Signalling System |
| Signalling Power Supply System | Railway Signalling System |
| Signalling Diagnostic and Monitoring System | Railway Signalling System |
| Vital Processing Unit | Computer-Based Interlocking |
| Object Controller | Computer-Based Interlocking |
| Interlocking Application Data | Computer-Based Interlocking |
| Engineering and Maintenance Terminal | Computer-Based Interlocking |
| Interlocking Communication Gateway | Computer-Based Interlocking |
| Audio-Frequency Track Circuit | Train Detection Subsystem |
| Axle Counter Evaluator | Train Detection Subsystem |
| Wheel Sensor | Train Detection Subsystem |
| Train Detection Data Concentrator | Train Detection Subsystem |
| RBC Application Server | ETCS Radio Block Centre |
| Euroradio Safe Communication Layer | ETCS Radio Block Centre |
| GSM-R Radio Interface Module | ETCS Radio Block Centre |
| RBC-CBI Interface Gateway | ETCS Radio Block Centre |
| RBC Handover Controller | ETCS Radio Block Centre |
| Juridical Recording Unit | ETCS Radio Block Centre |
| Level Crossing Controller | Level Crossing Protection System |
| Road Traffic Signal Assembly | Level Crossing Protection System |
| Barrier Drive Mechanism | Level Crossing Protection System |
| Level Crossing Obstacle Detection System | Level Crossing Protection System |
| Level Crossing Audible Warning Device | Level Crossing Protection System |
| Electro-Hydraulic Point Machine | Points and Crossing Drive System |
| Point Position Detection Assembly | Points and Crossing Drive System |
| Point Drive Controller | Points and Crossing Drive System |
| Point Heating System | Points and Crossing Drive System |
| Swing-Nose Crossing Actuator | Points and Crossing Drive System |
| Safety-Critical Data Network Switch | Signalling Communication Network |
| Lineside Transmission Multiplexer | Signalling Communication Network |
| RaSTA Protocol Stack | Signalling Communication Network |
| Network Time Distribution Server | Signalling Communication Network |
| Cybersecurity Boundary Gateway | Signalling Communication Network |
| Network Diagnostic and Monitoring Agent | Signalling Communication Network |
| Multi-Aspect Signal Head | Colour-Light Signalling Output |
| LED Signal Module | Colour-Light Signalling Output |
| Signal Proving and Monitoring Unit | Colour-Light Signalling Output |
| Signal Aspect Driver | Colour-Light Signalling Output |
| Junction Route Indicator | Colour-Light Signalling Output |
| Signalling Power Feeder | Signalling Power Supply System |
| Signalling Uninterruptible Power Supply | Signalling Power Supply System |
| Signalling Power Distribution Panel | Signalling Power Supply System |
| Track Circuit Power Feed Unit | Signalling Power Supply System |
| Power Supply Monitoring and Switchover Controller | Signalling Power Supply System |
| Condition Monitoring Server | Signalling Diagnostic and Monitoring System |
| Event Logger and Replay Unit | Signalling Diagnostic and Monitoring System |
| Remote Diagnostic Gateway | Signalling Diagnostic and Monitoring System |
| Alarm Management Processor | Signalling Diagnostic and Monitoring System |
| Track Diagram Display Processor | Signaller Workstation |
| Route Setting and Command Interface | Signaller Workstation |
| Alarm Display and Management Panel | Signaller Workstation |
| Workstation Redundancy Controller | Signaller Workstation |
| Signaller Authentication and Access Control Module | Signaller Workstation |
| Automatic Route Setting Engine | Traffic Management System |
| Timetable and Train Graph Processor | Traffic Management System |
| Conflict Detection and Resolution Module | Traffic Management System |
| Train Describer and Berth Management | Traffic Management System |
| TMS-CBI Interface Gateway | Traffic Management System |
| From | To |
|---|---|
| Computer-Based Interlocking | Train Detection Subsystem |
| Computer-Based Interlocking | Colour-Light Signalling Output |
| Computer-Based Interlocking | Points and Crossing Drive System |
| Computer-Based Interlocking | ETCS Radio Block Centre |
| Computer-Based Interlocking | Traffic Management System |
| Computer-Based Interlocking | Level Crossing Protection System |
| Wheel Sensor | Axle Counter Evaluator |
| Audio-Frequency Track Circuit | Train Detection Data Concentrator |
| Axle Counter Evaluator | Train Detection Data Concentrator |
| Train Detection Data Concentrator | Computer-Based Interlocking |
| RBC Application Server | Euroradio Safe Communication Layer |
| Euroradio Safe Communication Layer | GSM-R Radio Interface Module |
| RBC-CBI Interface Gateway | RBC Application Server |
| RBC Application Server | RBC Handover Controller |
| RBC Application Server | Juridical Recording Unit |
| RBC Handover Controller | Euroradio Safe Communication Layer |
| Level Crossing Controller | Road Traffic Signal Assembly |
| Level Crossing Controller | Barrier Drive Mechanism |
| Level Crossing Controller | Level Crossing Audible Warning Device |
| Level Crossing Obstacle Detection System | Level Crossing Controller |
| Level Crossing Controller | Computer-Based Interlocking |
| Point Drive Controller | Electro-Hydraulic Point Machine |
| Point Position Detection Assembly | Point Drive Controller |
| Point Drive Controller | Swing-Nose Crossing Actuator |
| Object Controller | Point Drive Controller |
| Point Heating System | Signalling Diagnostic and Monitoring System |
| Safety-Critical Data Network Switch | Lineside Transmission Multiplexer |
| Safety-Critical Data Network Switch | RaSTA Protocol Stack |
| Network Time Distribution Server | Safety-Critical Data Network Switch |
| Cybersecurity Boundary Gateway | Safety-Critical Data Network Switch |
| Network Diagnostic and Monitoring Agent | Safety-Critical Data Network Switch |
| Network Diagnostic and Monitoring Agent | Cybersecurity Boundary Gateway |
| Network Diagnostic and Monitoring Agent | Lineside Transmission Multiplexer |
| Signalling Communication Network | Computer-Based Interlocking |
| Signalling Communication Network | ETCS Radio Block Centre |
| Signalling Communication Network | Signalling Diagnostic and Monitoring System |
| Signal Aspect Driver | LED Signal Module |
| Signal Aspect Driver | Junction Route Indicator |
| Signal Proving and Monitoring Unit | LED Signal Module |
| Signal Proving and Monitoring Unit | Signal Aspect Driver |
| Signal Proving and Monitoring Unit | Signalling Diagnostic and Monitoring System |
| LED Signal Module | Multi-Aspect Signal Head |
| Signalling Power Feeder | Signalling Uninterruptible Power Supply |
| Signalling Power Feeder | Signalling Power Distribution Panel |
| Signalling Uninterruptible Power Supply | Signalling Power Distribution Panel |
| Signalling Power Distribution Panel | Track Circuit Power Feed Unit |
| Power Supply Monitoring and Switchover Controller | Signalling Power Feeder |
| Power Supply Monitoring and Switchover Controller | Signalling Uninterruptible Power Supply |
| Power Supply Monitoring and Switchover Controller | Signalling Power Distribution Panel |
| Power Supply Monitoring and Switchover Controller | Signalling Diagnostic and Monitoring System |
| Condition Monitoring Server | Event Logger and Replay Unit |
| Condition Monitoring Server | Alarm Management Processor |
| Remote Diagnostic Gateway | Condition Monitoring Server |
| Alarm Management Processor | Signaller Workstation |
| Track Diagram Display Processor | Route Setting and Command Interface |
| Alarm Display and Management Panel | Track Diagram Display Processor |
| Workstation Redundancy Controller | Track Diagram Display Processor |
| Signaller Authentication and Access Control Module | Route Setting and Command Interface |
| Automatic Route Setting Engine | TMS-CBI Interface Gateway |
| Timetable and Train Graph Processor | Automatic Route Setting Engine |
| Conflict Detection and Resolution Module | Automatic Route Setting Engine |
| Train Describer and Berth Management | Automatic Route Setting Engine |
| TMS-CBI Interface Gateway | Train Describer and Berth Management |
| Track Diagram Display Processor | Computer-Based Interlocking |
| Route Setting and Command Interface | Computer-Based Interlocking |
| Train Describer and Berth Management | Track Diagram Display Processor |
| TMS-CBI Interface Gateway | Computer-Based Interlocking |
| Traffic Management System | Signaller Workstation |
| Component | Output |
|---|---|
| Vital Processing Unit | route-locking commands, signal aspect commands, point position commands |
| Object Controller | field equipment drive signals, input status reports |
| Interlocking Communication Gateway | movement authority data, route confirmation messages, vital link coordination |
| Audio-Frequency Track Circuit | binary occupied/clear status per track section via rail impedance measurement |
| Axle Counter Evaluator | section occupancy state derived from axle count differential, reset request alerts |
| Wheel Sensor | analogue pulse signals encoding wheel flange passage events and direction |
| Train Detection Data Concentrator | unified digital occupancy table, diagnostic alarms, degradation alerts |
| RBC Application Server | Movement Authority (MA) messages |
| Euroradio Safe Communication Layer | Authenticated safe messages |
| GSM-R Radio Interface Module | Radio bearer sessions |
| RBC-CBI Interface Gateway | Interlocking status data |
| RBC Handover Controller | Handover coordination messages |
| Juridical Recording Unit | Tamper-evident event logs |
| Level Crossing Controller | Protection sequence commands |
| Road Traffic Signal Assembly | Visual warning to road users |
| Barrier Drive Mechanism | Physical road closure |
| Level Crossing Obstacle Detection System | Obstacle detection status |
| Level Crossing Audible Warning Device | Audible warning tone |
| Electro-Hydraulic Point Machine | mechanical blade movement and hydraulic clamp locking force |
| Point Position Detection Assembly | vital blade position detection signals (normal detected, reverse detected, not detected) |
| Point Drive Controller | motor drive power sequencing, detection status reports, obstruction alarms, diagnostic data |
| Point Heating System | thermal energy to switch rails preventing ice and snow accumulation |
| Swing-Nose Crossing Actuator | crossing nose movement and position detection for high-speed turnouts |
| Safety-Critical Data Network Switch | redundant Ethernet paths with PRP zero-recovery-time failover for vital signalling data |
| Lineside Transmission Multiplexer | aggregated fiber-optic trunk links carrying multiplexed field equipment data |
| RaSTA Protocol Stack | SIL4-authenticated safety messages with sequence validation and timeout detection |
| Network Time Distribution Server | sub-microsecond UTC time synchronization via IEEE 1588v2 PTP |
| Cybersecurity Boundary Gateway | filtered and inspected data flows between safety and non-vital network zones |
| Network Diagnostic and Monitoring Agent | network health alarms, performance metrics, 90-day rolling logs |
| Multi-Aspect Signal Head | visible signal aspect (red/yellow/double-yellow/green) |
| LED Signal Module | monochromatic light output at calibrated intensity |
| Signal Proving and Monitoring Unit | lamp status and failsafe override |
| Signal Aspect Driver | regulated LED drive current per commanded aspect |
| Junction Route Indicator | route direction display at junctions |
| Signalling Power Feeder | regulated 110V AC and 48V DC bulk power from stepped-down mains supply |
| Signalling Uninterruptible Power Supply | seamless conditioned AC power with battery backup for minimum 2 hours during mains failure |
| Signalling Power Distribution Panel | individually protected and isolated power feeds to each signalling subsystem |
| Track Circuit Power Feed Unit | regulated audio-frequency AC power (83Hz/91.5Hz) for track circuit transmitters |
| Power Supply Monitoring and Switchover Controller | power system status reports, switchover commands, load-shedding sequences, event logs |
| Condition Monitoring Server | predictive maintenance alerts, degradation trends, reliability reports, 12-month operational data archive |
| Event Logger and Replay Unit | tamper-evident chronological event records with 1ms timestamps, incident replay sessions |
| Remote Diagnostic Gateway | authenticated read-only remote diagnostic sessions with audit trail |
| Alarm Management Processor | rationalised prioritised alarm stream, root-cause correlation, alarm history with operator response data |
| Track Diagram Display Processor | real-time schematic track diagram display |
| Route Setting and Command Interface | route-setting commands and operator action audit trail |
| Alarm Display and Management Panel | prioritised alarm display and acknowledgement events |
| Workstation Redundancy Controller | automatic failover and state transfer between workstation pairs |
| Signaller Authentication and Access Control Module | authenticated session and role-based access permissions |
| Automatic Route Setting Engine | automatic route-setting commands and regulation decisions |
| Timetable and Train Graph Processor | train graph display and punctuality metrics |
| Conflict Detection and Resolution Module | conflict alerts and regulation recommendations |
| Train Describer and Berth Management | real-time train identity to berth mapping |
| TMS-CBI Interface Gateway | protocol-translated route commands and CBI status data |
| Source | Target | Type | Description |
|---|---|---|---|
| SYS-REQS-FUNC-005 | IFC-CBIINTERFACES-025 | derives | ETCS MA delivery drives TMS-safety boundary interface |
| SYS-REQS-FUNC-003 | IFC-CBIINTERFACES-024 | derives | System redundancy drives dual-path PRP interface requirement |
| SYS-REQS-FUNC-005 | IFC-CBIINTERFACES-013 | derives | Euroradio-GSM-R bearer interface derives from MA delivery chain |
| SYS-REQS-FUNC-005 | IFC-CBIINTERFACES-012 | derives | RBC-Euroradio message interface derives from system MA transmission |
| SYS-REQS-FUNC-005 | IFC-CBIINTERFACES-011 | derives | CBI-RBC interface data rate derives from system MA timing |
| SYS-REQS-PERF-002 | IFC-CBIINTERFACES-002 | derives | System signal timing derives CBI-Signal interface |
| SYS-REQS-FUNC-006 | IFC-CBIINTERFACES-006 | derives | System level crossing derives CBI-LX interface |
| SYS-REQS-FUNC-005 | IFC-CBIINTERFACES-004 | derives | System ETCS MA timing derives CBI-ETCS interface |
| SYS-REQS-FUNC-004 | IFC-CBIINTERFACES-001 | derives | System train detection derives CBI-TrainDet interface |
| SYS-REQS-PERF-002 | SUB-REQS-FUNC-051 | derives | System signal update requirement drives LED intensity requirement |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-076 | derives | Interlocking safety drives command acknowledgement at signaller interface |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-009 | derives | Interlocking safety integrity drives engineering terminal access control |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-083 | derives | Interlocking safety drives automatic workstation inactivity lock |
| SYS-REQS-FUNC-010 | SUB-REQS-FUNC-082 | derives | Degraded-mode operation drives authentication fallback requirement |
| SYS-REQS-FUNC-012 | SUB-REQS-FUNC-078 | derives | System event monitoring drives alarm display presentation requirements |
| SYS-REQS-PERF-002 | SUB-REQS-FUNC-086 | derives | Throughput performance requirement drives conflict detection module |
| SYS-REQS-PERF-002 | SUB-REQS-FUNC-084 | derives | Signal update performance drives automatic route setting engine specification |
| SYS-REQS-FUNC-012 | SUB-REQS-FUNC-077 | derives | System recording requirement drives operator command audit trail |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-075 | derives | Interlocking safety drives two-stage command confirmation at signaller workstation |
| SYS-REQS-FUNC-012 | SUB-REQS-FUNC-069 | derives | System recording requirement drives event logger retention specification |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-090 | derives | TMS graceful degradation on CBI communication loss |
| SYS-REQS-PERF-002 | SUB-REQS-FUNC-074 | derives | Display rendering drives signal aspect visibility |
| SYS-REQS-FUNC-004 | SUB-REQS-FUNC-087 | derives | Train detection requirement derives train describer berth tracking |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-080 | derives | System redundancy requirement cascades to workstation hot-standby |
| SYS-REQS-PERF-002 | SUB-REQS-FUNC-073 | derives | System display latency flows to workstation display processor |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-063 | derives | Vital/non-vital bus separation prevents fault propagation |
| SYS-REQS-FUNC-004 | SUB-REQS-FUNC-062 | derives | Power quality for track circuit integrity |
| SYS-REQS-FUNC-004 | SUB-REQS-FUNC-064 | derives | Track circuit power frequency stability for reliable train detection |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-061 | derives | Battery backup continuity for vital loads |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-065 | derives | Dual mains supply redundancy for power subsystem |
| SYS-REQS-PERF-002 | SUB-REQS-FUNC-054 | derives | System signal update timing drives aspect sequencing rules |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-052 | derives | System single-failure-safe drives LED graceful degradation requirement |
| SYS-REQS-ENV-007 | SUB-REQS-FUNC-057 | derives | System environmental requirement drives signal head visibility specs |
| SYS-REQS-PERF-002 | SUB-REQS-FUNC-058 | derives | System signal timing requirement cascades to junction indicator timing |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-056 | derives | System redundancy cascades to 2oo2 monitoring architecture |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-055 | derives | System redundancy requirement cascades to driver board failsafe |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-053 | derives | System redundancy requirement cascades to lamp failure detection |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-001 | derives | System vital interlocking requirement derives VPU voting architecture |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-002 | derives | System vital interlocking derives CBI route-locking logic |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-003 | derives | System vital interlocking derives flank protection requirement |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-001 | derives | System redundancy requirement derives VPU 2oo3 architecture |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-008 | derives | System redundancy derives degraded-mode operation |
| SYS-REQS-PERF-002 | SUB-REQS-PERF-010 | derives | System signal timing derives VPU cycle time |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-004 | derives | System vital interlocking derives overlap management |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-005 | derives | System vital interlocking derives OC authenticated command chain |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-006 | derives | System redundancy derives application data integrity check |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-007 | derives | System ETCS requirement derives Communication Gateway safety protocol |
| SYS-REQS-PERF-002 | SUB-REQS-PERF-012 | derives | System signal timing derives OC capacity and latency |
| SYS-REQS-FUNC-004 | SUB-REQS-FUNC-013 | derives | System detection sensitivity cascades to track circuit shunting threshold |
| SYS-REQS-FUNC-004 | SUB-REQS-FUNC-015 | derives | System detection requirement drives axle counter accuracy target |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-018 | derives | System redundancy requirement cascades to Data Concentrator hot-standby |
| SYS-REQS-PERF-002 | SUB-REQS-FUNC-017 | derives | System signal update budget apportioned to concentrator aggregation latency |
| SYS-REQS-FUNC-004 | SUB-REQS-FUNC-016 | derives | System detection requirement drives axle counter fail-safe behaviour |
| SYS-REQS-FUNC-004 | SUB-REQS-FUNC-019 | derives | System detection requirement drives detector health monitoring |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-020 | derives | 800ms MA computation budget derives from 2-second system MA latency |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-021 | derives | 60-train capacity derives from system MA transmission requirement |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-023 | derives | Euroradio integrity required for safe MA transmission |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-026 | derives | 100ms gateway latency is part of 2-second MA budget |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-030 | derives | Emergency stop broadcast derives from vital interlocking safety requirement |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-022 | derives | RBC 2oo2 hot-standby derives from system redundancy requirement |
| SYS-REQS-FUNC-006 | SUB-REQS-FUNC-031 | derives | LC protection timing derives from system approach trigger requirement |
| SYS-REQS-FUNC-006 | SUB-REQS-FUNC-032 | derives | Obstacle detection derives from safe crossing protection |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-035 | derives | LC fail-safe state derives from system redundancy/safety requirement |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-024 | derives | T_NVCONTACT monitoring derives from MA delivery chain |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-025 | derives | GSM-R session setup is prerequisite for MA delivery |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-027 | derives | Handover timing ensures continuous MA delivery at RBC boundaries |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-029 | derives | RBC degraded mode derives from system redundancy requirement |
| SYS-REQS-FUNC-006 | SUB-REQS-FUNC-033 | derives | Barrier torque limiting derives from crossing protection safety |
| SYS-REQS-FUNC-006 | SUB-REQS-FUNC-034 | derives | Signal visibility derives from crossing warning requirement |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-028 | derives | ETCS MA requirement drives juridical recording |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-036 | derives | Route-setting time allocation cascades to point throw time |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-037 | derives | Interlocking safety depends on proven blade position |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-040 | derives | Single failure tolerance cascades to detection fail-safe |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-039 | derives | Route safety requires blades held in position under traffic |
| SYS-REQS-ENV-007 | SUB-REQS-FUNC-042 | derives | Environmental operating range requires anti-icing protection |
| SYS-REQS-FUNC-001 | SUB-REQS-FUNC-041 | derives | Vital interlocking requires proven crossing nose position for high-speed routes |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-043 | derives | System redundancy requirement derives network PRP requirement |
| SYS-REQS-PERF-002 | SUB-REQS-FUNC-044 | derives | Signal update timing derives network latency budget |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-050 | derives | System redundancy requirement derives network degraded-mode behavior |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-045 | derives | ETCS MA timing derives RaSTA safety communication requirement |
| SYS-REQS-FUNC-005 | SUB-REQS-FUNC-046 | derives | ETCS timing accuracy drives time synchronization requirement |
| SYS-REQS-FUNC-003 | SUB-REQS-FUNC-048 | derives | System redundancy drives lineside link availability |
| STK-NEEDS-PERF-003 | SYS-REQS-FUNC-010 | derives | Availability stakeholder need drives degraded-mode operating procedures |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-008 | derives | Collision prevention stakeholder need drives requirement for trackside AWS/TPWS protection |
| STK-NEEDS-CON-005 | SYS-REQS-FUNC-009 | derives | AWS/TPWS is required for non-ETCS-fitted trains during mixed-traffic transition period |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-013 | derives | TSR management ensures trains are protected at reduced-speed sections |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-012 | derives | System-wide event recording enables incident investigation to verify safety function performance |
| STK-NEEDS-PERF-003 | SYS-REQS-FUNC-011 | derives | Degraded mode capability ensures continued operation when primary signalling fails |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-009 | derives | AWS/TPWS provides independent SPAD protection layer deriving from train separation safety requirement |
| STK-NEEDS-PERF-003 | SYS-REQS-ENV-007 | derives | Availability requirement drives environmental specification |
| STK-NEEDS-OPS-004 | SYS-REQS-FUNC-003 | derives | Maintainability requirement drives redundancy architecture |
| STK-NEEDS-OPS-006 | SYS-REQS-FUNC-006 | derives | Level crossing safety need derives warning time requirement |
| STK-NEEDS-CON-005 | SYS-REQS-FUNC-005 | derives | ETCS compatibility need derives movement authority computation requirement |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-004 | derives | Train separation need derives train detection integrity requirement |
| STK-NEEDS-PERF-003 | SYS-REQS-FUNC-003 | derives | Availability need derives redundancy and failover requirement |
| STK-NEEDS-PERF-002 | SYS-REQS-PERF-002 | derives | Headway capacity need derives signal command latency requirement |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-001 | derives | Train separation safety need derives interlocking safety function |
| Requirement | Verified By | Type | Description |
|---|---|---|---|
| IFC-CBIINTERFACES-045 | VER-TEST-076 | verifies | Integration test for conflict alert delivery |
| IFC-CBIINTERFACES-044 | VER-TEST-075 | verifies | Integration test for train identity delivery to display |
| IFC-CBIINTERFACES-043 | VER-TEST-074 | verifies | Integration test for TMS-CBI route command interface |
| IFC-CBIINTERFACES-042 | VER-TEST-073 | verifies | Integration test for alarm delivery interface |
| IFC-CBIINTERFACES-041 | VER-TEST-072 | verifies | Integration test for workstation command interface |
| IFC-CBIINTERFACES-040 | VER-TEST-071 | verifies | Integration test for TDDP-CBI state data interface |
| IFC-CBIINTERFACES-039 | VER-TEST-068 | verifies | MFA and audit logging test for remote diagnostic access |
| IFC-CBIINTERFACES-038 | VER-TEST-067 | verifies | Guaranteed delivery test for CMS-EventLogger interface |
| IFC-CBIINTERFACES-037 | VER-TEST-066 | verifies | Alarm delivery latency test at AMP-Workstation interface |
| IFC-CBIINTERFACES-036 | VER-TEST-062 | verifies | Modbus TCP integration test for power monitoring data |
| IFC-CBIINTERFACES-035 | VER-TEST-061 | verifies | Earth fault detection test for TC power distribution |
| IFC-CBIINTERFACES-034 | VER-TEST-060 | verifies | Integration test for UPS-distribution panel interface |
| IFC-CBIINTERFACES-033 | VER-TEST-059 | verifies | Integration test for feeder-UPS power interface |
| IFC-CBIINTERFACES-027 | VER-054 | verifies | Network monitoring interface end-to-end test for IFC-027 |
| IFC-CBIINTERFACES-025 | VER-053 | verifies | Cybersecurity boundary gateway penetration test for IFC-025 |
| IFC-CBIINTERFACES-032 | VER-TEST-051 | verifies | Junction indicator interlock test for IFC-032 |
| IFC-CBIINTERFACES-031 | VER-TEST-050 | verifies | Diagnostic serial interface test for IFC-031 |
| IFC-CBIINTERFACES-029 | VER-TEST-049 | verifies | Monitoring accuracy test for IFC-029 |
| IFC-CBIINTERFACES-030 | VER-TEST-048 | verifies | Failsafe relay integration test for IFC-030 |
| IFC-CBIINTERFACES-028 | VER-TEST-047 | verifies | Drive current integration test for IFC-028 |
| IFC-CBIINTERFACES-023 | VER-TEST-046 | verifies | Fiber trunk BER and optical margin integration test |
| IFC-CBIINTERFACES-026 | VER-TEST-043 | verifies | PTP synchronization accuracy measurement with holdover |
| IFC-CBIINTERFACES-024 | VER-TEST-040 | verifies | PRP failover integration test for CBI-switch interface |
| IFC-CBIINTERFACES-022 | VER-TEST-036 | verifies | Diagnostic reporting protocol compliance test |
| IFC-CBIINTERFACES-021 | VER-TEST-035 | verifies | Swing-nose synchronisation interlock test |
| IFC-CBIINTERFACES-020 | VER-TEST-034 | verifies | Detection interface dual-channel test |
| IFC-CBIINTERFACES-019 | VER-TEST-033 | verifies | Power interface integration test for PDC-EHPM |
| IFC-CBIINTERFACES-018 | VER-TEST-026 | verifies | Barrier position feedback and stall detection test |
| IFC-CBIINTERFACES-017 | VER-TEST-025 | verifies | Obstacle detection interface boundary and fail-safe test |
| IFC-CBIINTERFACES-016 | VER-TEST-024 | verifies | Integration test for CBI-LC Controller interface |
| IFC-CBIINTERFACES-015 | VER-TEST-020 | verifies | JRU guaranteed delivery test under peak load |
| IFC-CBIINTERFACES-014 | VER-TEST-019 | verifies | Handover state transfer latency test |
| IFC-CBIINTERFACES-013 | VER-TEST-018 | verifies | Bearer error injection test for Euroradio-GSM-R interface |
| IFC-CBIINTERFACES-012 | VER-TEST-017 | verifies | Integration test for RBC-Euroradio message interface |
| IFC-CBIINTERFACES-011 | VER-TEST-016 | verifies | Integration test for CBI-RBC interface |
| IFC-CBIINTERFACES-010 | VER-TEST-013 | verifies | Integration test for vital serial link from concentrator to CBI |
| IFC-CBIINTERFACES-009 | VER-TEST-012 | verifies | Integration test for RS-485 serial link between evaluator and concentrator |
| IFC-CBIINTERFACES-008 | VER-TEST-011 | verifies | Integration test for track circuit relay contact interface to concentrator |
| IFC-CBIINTERFACES-007 | VER-TEST-010 | verifies | Integration test for wheel sensor to evaluator cable interface |
| IFC-CBIINTERFACES-006 | VER-TEST-006 | verifies | Integration test for CBI-LX interface |
| IFC-CBIINTERFACES-005 | VER-TEST-005 | verifies | Integration test for CBI-TMS interface |
| IFC-CBIINTERFACES-004 | VER-TEST-004 | verifies | Integration test for CBI-ETCS RaSTA interface |
| IFC-CBIINTERFACES-003 | VER-TEST-003 | verifies | Integration test for CBI-Points interface |
| IFC-CBIINTERFACES-002 | VER-TEST-002 | verifies | Integration test for CBI-Signal interface |
| IFC-CBIINTERFACES-001 | VER-TEST-001 | verifies | Integration test for CBI-TrainDet interface |
| SUB-REQS-FUNC-089 | VER-TEST-085 | verifies | CIF timetable conflict injection test |
| SUB-REQS-FUNC-071 | VER-TEST-084 | verifies | Adversarial write-attempt test for remote diagnostic isolation |
| SUB-REQS-FUNC-070 | VER-TEST-083 | verifies | CMS aggregation latency test under peak concurrent load |
| SUB-REQS-FUNC-060 | VER-TEST-082 | verifies | Lamp degradation injection test for signal proving unit |
| SUB-REQS-FUNC-088 | VER-TEST-081 | verifies | TMS gateway rate limiting test |
| SUB-REQS-FUNC-085 | VER-TEST-080 | verifies | ARS capacity load test |
| SUB-REQS-FUNC-081 | VER-TEST-079 | verifies | Authentication and access control demonstration |
| SUB-REQS-FUNC-080 | VER-TEST-078 | verifies | Workstation failover test |
| SUB-REQS-FUNC-079 | VER-TEST-077 | verifies | Alarm flood management test |
| SUB-REQS-FUNC-072 | VER-TEST-070 | verifies | GPS timestamp accuracy test over 24-hour period |
| SUB-REQS-FUNC-068 | VER-TEST-069 | verifies | EEMUA 191 alarm rate compliance test |
| SUB-REQS-FUNC-067 | VER-TEST-065 | verifies | Cell-level monitoring alarm test |
| SUB-REQS-FUNC-066 | VER-TEST-064 | verifies | Load-shedding timing and runtime extension test |
| SUB-REQS-FUNC-061 | VER-TEST-063 | verifies | Full-load discharge test for UPS backup duration |
| SUB-REQS-FUNC-037 | VER-058 | verifies | Point Position Detection threshold boundary test |
| SUB-REQS-FUNC-059 | VER-057 | verifies | Junction Route Indicator hardware interlock independence test |
| SUB-REQS-FUNC-056 | VER-056 | verifies | Signal Proving Unit 2oo2 comparison architecture test |
| SUB-REQS-FUNC-055 | VER-055 | verifies | Signal Aspect Driver failsafe default test for SUB-055 |
| SUB-REQS-FUNC-053 | VER-TEST-052 | verifies | Failsafe timing test for SUB-053 |
| SUB-REQS-FUNC-049 | VER-TEST-045 | verifies | Network degradation alarm test |
| SUB-REQS-FUNC-047 | VER-TEST-044 | verifies | Cybersecurity boundary penetration and latency test |
| SUB-REQS-FUNC-045 | VER-TEST-042 | verifies | RaSTA error detection fault injection test |
| SUB-REQS-FUNC-044 | VER-TEST-041 | verifies | End-to-end latency measurement under load |
| SUB-REQS-FUNC-038 | VER-TEST-039 | verifies | Obstruction detection sensitivity and response test |
| SUB-REQS-FUNC-040 | VER-TEST-038 | verifies | Fail-safe detection default timing test |
| SUB-REQS-FUNC-036 | VER-TEST-037 | verifies | Throw time test across temperature range |
| SUB-REQS-FUNC-016 | VER-032 | verifies | Test verifies axle count discrepancy detection and fail-safe response |
| SUB-REQS-FUNC-015 | VER-031 | verifies | Test verifies axle counting accuracy across speed/wheel envelope |
| SUB-REQS-FUNC-008 | VER-030 | verifies | Test verifies 2oo3 to 2oo2 degraded mode transition |
| SUB-REQS-FUNC-006 | VER-029 | verifies | Test verifies VPU data integrity check at startup |
| SUB-REQS-FUNC-005 | VER-028 | verifies | Test verifies Object Controller command authentication |
| SUB-REQS-FUNC-002 | VER-027 | verifies | Test verifies route-locking enforcement |
| SUB-REQS-FUNC-030 | VER-TEST-023 | verifies | Emergency stop broadcast timing test |
| SUB-REQS-FUNC-022 | VER-TEST-022 | verifies | Hot-standby failover test |
| SUB-REQS-FUNC-020 | VER-TEST-021 | verifies | MA computation performance test |
| SUB-REQS-FUNC-014 | VER-TEST-015 | verifies | Fault injection test for track circuit fail-safe behaviour |
| SUB-REQS-FUNC-013 | VER-TEST-014 | verifies | Field test for track circuit shunting sensitivity |
| SUB-REQS-PERF-011 | VER-ANAL-009 | verifies | Markov reliability analysis for VPU MTBFd |
| SUB-REQS-PERF-010 | VER-ANAL-008 | verifies | WCET analysis for VPU cycle time |
| SUB-REQS-FUNC-001 | VER-TEST-007 | verifies | Fault injection test for VPU 2oo3 voting |
| SYS-REQS-FUNC-013 | VER-TEST-090 | verifies | Test of TSR propagation to lineside signals and ETCS MAs with concurrent restriction management |
| SYS-REQS-FUNC-012 | VER-TEST-089 | verifies | Test of cross-subsystem event recording at peak load with retention and tamper verification |
| SYS-REQS-FUNC-011 | VER-TEST-088 | verifies | Demonstration of degraded mode transition and operational capacity |
| SYS-REQS-FUNC-009 | VER-TEST-087 | verifies | Verification of AWS/TPWS intervention reliability and ETCS coexistence |
| SYS-REQS-FUNC-004 | VER-TEST-086 | verifies | End-to-end detection-to-protection chain test |
| SYS-REQS-PERF-002 | VER-TEST-086 | verifies | System-level end-to-end safety chain integration test |
| Ref | Document | Requirement |
|---|---|---|
| ARC-009 | architecture-decisions | ARC: Colour-Light Signalling Output — Separated safety monitoring from drive electronics. The Signal Proving and Monitor... |
| ARC-010 | architecture-decisions | ARC: Signalling Power Supply System — Online double-conversion UPS topology with vital/non-vital bus separation at the d... |
| ARC-012 | architecture-decisions | ARC: Signalling Diagnostic and Monitoring System — Separated alarm management from condition monitoring to avoid data ov... |
| ARC-CBIARCHITECTUREDECISIONS-001 | architecture-decisions | ARC: Computer-Based Interlocking — 2oo3 voted architecture with distributed Object Controllers and centralised Communica... |
| ARC-SYS-ARC-002 | architecture-decisions | ARC: Train Detection Subsystem — Dual-technology detection (audio-frequency track circuits plus axle counters) with cent... |
| ARC-SYS-ARC-004 | architecture-decisions | ARC: ETCS Radio Block Centre — Layered architecture separating safety application (MA computation) from safe communicati... |
| ARC-SYS-ARC-005 | architecture-decisions | ARC: Level Crossing Protection System — Centralised controller with distributed field equipment and independent obstacle... |
| ARC-SYS-ARC-006 | architecture-decisions | ARC: Points and Crossing Drive System — Centralised drive controller with per-machine detection independence. The Point ... |
| ARC-SYS-ARC-007 | architecture-decisions | ARC: Signalling Communication Network — Layered architecture separating physical transport (PRP switches, fiber multiple... |
| ARC-SYS-ARC-013 | architecture-decisions | ARC: Signaller Workstation — Separated display rendering, command input, alarm management, and access control into indep... |
| ARC-SYS-ARC-014 | architecture-decisions | ARC: Traffic Management System — Separated automatic route setting, conflict resolution, train description, and timetabl... |