// === Description === // Radio Block Center — streckenseitige Zentrale eines ETCS-Level-2- // Netzes. Erteilt zeit- und streckenabhaengige Movement Authorities an // Zuege in ihrem Verantwortungsbereich und koordiniert Uebergaben an // benachbarte RBCs. Eine MA wird nur erteilt, wenn Stellwerk, // Gleisbelegung und Weichen-/Signalstatus den Streckenabschnitt als // frei bestaetigen. 2oo3-Rechner-Architektur mit Safety Voter, // redundante GSM-R / FRMCS-Gateways, USV und Notstromaggregat. // Sicherheitsziel SIL 4 nach EN 50128 / EN 50129. // === End Description === // FtaDSL Radio Block Center (RBC) — ETCS Level 2 Wayside // // Author: Wolfgang Freese, Overath (Germany) // April 2026 // Version 1.0 // // Safety class: SIL 4 per EN 50126 / EN 50128 / EN 50129 // // References: // EN 50126 (2017) RAMS for Railway Applications // EN 50128 (2020) Software for Railway Control and Protection // EN 50129 (2018) Safety-related Electronic Systems // ERA UNISIG Subset-026 ETCS System Requirements Specification // ERA UNISIG Subset-037 EuroRadio FIS // ERA UNISIG Subset-039 FIS for RBC/RBC Handover // ERA UNISIG Subset-091 Safety Requirements for the Technical Interoperability // of ETCS in Levels 1 and 2 // TSI CCS (EU 2023/1695) Control-Command and Signalling // IEC 62443 Industrial Automation and Control Systems Security // // Top Level Event (TLE): // IncorrectMovementAuthorityGranted // A Movement Authority (MA) is issued that permits a train to enter a // section which is not safely cleared (track occupied, point not locked, // conflicting route) or that extends an existing MA past a danger point. // Hazard classification: catastrophic (collision, derailment on flanking // movement). SIL 4 per EN 50129. // // Fault mode catalogue (core 10-12 modes reused across subsystems): // MA_TooPermissive MA granted beyond safe extent // MA_ForConflictingRoute MA issued against a not-compatible route // MA_Extended MA refreshed / extended without valid basis // MA_Missing No MA issued when required // MA_Late MA issued outside timing envelope // MA_Duplicated Redundant MA messages cause ambiguity // Position_Outdated Reported train position older than validity window // Position_Corrupted Train position value corrupted in transport/store // Route_NotLocked Physical route not yet locked when MA computed // RouteLock_StatusFalse Interlocking reports false "locked" status // Channel_Disagreement Cross-channel compare detects mismatch // Channel_Silent Compute channel does not deliver heartbeat/output // Message_Corrupted Radio/field message content corrupted // Message_Spoofed Unauthenticated message accepted as valid // Crypto_MAC_Invalid MAC generation/verification defective // Interlocking_Link_Lost Gateway link to interlocking unavailable // Power_Lost Electrical supply below operational threshold // Bus_Silent SafeTransport network path quiet / disconnected // Clock_Skew Time base drift beyond tolerance // Clock_Lost No valid time reference // // ====================================================================== // Outer Function // ====================================================================== FUNCTION RBC INPUT Interlocking_State_Primary INPUT Interlocking_State_Backup INPUT TrainReport_A INPUT TrainReport_B INPUT FRMCS_Traffic INPUT AdjacentRBC_Handover_In INPUT Operator_Cmd INPUT GridPower INPUT BackupGenFuel_Level INPUT GPS_TimeSource INPUT FieldElement_Status OUTPUT MA_Grant_GSMR_A OUTPUT MA_Grant_GSMR_B OUTPUT MA_Grant_FRMCS OUTPUT Interlocking_Command OUTPUT AdjacentRBC_Handover_Out OUTPUT SCADA_Status OUTPUT JuridicalLog // ================================================================ // Infrastructure — electrical power and climate // ================================================================ FUNCTION PowerSupply_Primary INPUT GridIn OUTPUT MainsOut OIM MainsOut.Power_Lost.GridIn.Power_Lost END FUNCTION FUNCTION UPS_Battery INPUT MainsIn OUTPUT UPSOut OIM UPSOut.Power_Lost.MainsIn.Power_Lost END FUNCTION FUNCTION DieselGenerator_Backup INPUT FuelLevel OUTPUT GenOut OIM GenOut.Power_Lost.FuelLevel.Power_Lost END FUNCTION FUNCTION HVAC_Equipment INPUT PowerIn OUTPUT CoolingOK OIM CoolingOK.Power_Lost.PowerIn.Power_Lost END FUNCTION FUNCTION Network_SafeTransport_A INPUT PowerIn OUTPUT NetOutA OIM NetOutA.Bus_Silent.PowerIn.Power_Lost OIM NetOutA.Message_Corrupted.PowerIn.Power_Lost END FUNCTION FUNCTION Network_SafeTransport_B INPUT PowerIn OUTPUT NetOutB OIM NetOutB.Bus_Silent.PowerIn.Power_Lost OIM NetOutB.Message_Corrupted.PowerIn.Power_Lost END FUNCTION // ================================================================ // Time reference // ================================================================ FUNCTION TimeSync_GPS INPUT GPSIn INPUT PowerIn OUTPUT TimeRef OIM TimeRef.Clock_Lost.OR(GPSIn.Clock_Lost; PowerIn.Power_Lost) OIM TimeRef.Clock_Skew.GPSIn.Clock_Skew END FUNCTION // ================================================================ // Radio infrastructure // ================================================================ FUNCTION CryptoServer INPUT KeyIn INPUT PowerIn OUTPUT MACService OIM MACService.Crypto_MAC_Invalid.OR(KeyIn.Crypto_MAC_Invalid; PowerIn.Power_Lost) OIM MACService.Message_Corrupted.KeyIn.Crypto_MAC_Invalid END FUNCTION FUNCTION KeyManagement INPUT PowerIn OUTPUT KeyOut OIM KeyOut.Crypto_MAC_Invalid.PowerIn.Power_Lost END FUNCTION FUNCTION EuroRadio_Stack_Server INPUT MACIn INPUT NetIn INPUT PowerIn OUTPUT ERadioOut OIM ERadioOut.Message_Corrupted.OR(MACIn.Crypto_MAC_Invalid; NetIn.Message_Corrupted; PowerIn.Power_Lost) OIM ERadioOut.Message_Spoofed.MACIn.Crypto_MAC_Invalid OIM ERadioOut.Channel_Silent.OR(NetIn.Bus_Silent; PowerIn.Power_Lost) END FUNCTION FUNCTION GSM_R_Gateway_A INPUT TrainIn INPUT ERadioIn INPUT PowerIn OUTPUT RadioAOut OUTPUT MA_OutA OIM RadioAOut.Message_Corrupted.OR(TrainIn.Message_Corrupted; ERadioIn.Message_Corrupted; PowerIn.Power_Lost) OIM RadioAOut.Channel_Silent.OR(ERadioIn.Channel_Silent; PowerIn.Power_Lost) OIM RadioAOut.Message_Spoofed.ERadioIn.Message_Spoofed OIM MA_OutA.MA_Missing.OR(ERadioIn.Channel_Silent; PowerIn.Power_Lost) OIM MA_OutA.MA_Late.ERadioIn.Message_Corrupted OIM MA_OutA.MA_TooPermissive.ERadioIn.MA_TooPermissive OIM MA_OutA.MA_ForConflictingRoute.ERadioIn.MA_ForConflictingRoute OIM MA_OutA.MA_Extended.ERadioIn.MA_Extended END FUNCTION FUNCTION GSM_R_Gateway_B INPUT TrainIn INPUT ERadioIn INPUT PowerIn OUTPUT RadioBOut OUTPUT MA_OutB OIM RadioBOut.Message_Corrupted.OR(TrainIn.Message_Corrupted; ERadioIn.Message_Corrupted; PowerIn.Power_Lost) OIM RadioBOut.Channel_Silent.OR(ERadioIn.Channel_Silent; PowerIn.Power_Lost) OIM RadioBOut.Message_Spoofed.ERadioIn.Message_Spoofed OIM MA_OutB.MA_Missing.OR(ERadioIn.Channel_Silent; PowerIn.Power_Lost) OIM MA_OutB.MA_Late.ERadioIn.Message_Corrupted OIM MA_OutB.MA_TooPermissive.ERadioIn.MA_TooPermissive OIM MA_OutB.MA_ForConflictingRoute.ERadioIn.MA_ForConflictingRoute OIM MA_OutB.MA_Extended.ERadioIn.MA_Extended END FUNCTION FUNCTION FRMCS_Gateway_Future INPUT FRMCSIn INPUT ERadioIn INPUT PowerIn OUTPUT FRMCSOut OUTPUT MA_OutFRMCS OIM FRMCSOut.Message_Corrupted.OR(FRMCSIn.Message_Corrupted; ERadioIn.Message_Corrupted; PowerIn.Power_Lost) OIM FRMCSOut.Channel_Silent.OR(ERadioIn.Channel_Silent; PowerIn.Power_Lost) OIM MA_OutFRMCS.MA_Missing.ERadioIn.Channel_Silent OIM MA_OutFRMCS.MA_Late.FRMCSIn.Message_Corrupted OIM MA_OutFRMCS.MA_TooPermissive.ERadioIn.MA_TooPermissive OIM MA_OutFRMCS.MA_ForConflictingRoute.ERadioIn.MA_ForConflictingRoute OIM MA_OutFRMCS.MA_Extended.ERadioIn.MA_Extended END FUNCTION // ================================================================ // Interlocking interface // ================================================================ FUNCTION DataDiode_FromInterlocking INPUT IxlIn OUTPUT DiodeOut OIM DiodeOut.Message_Corrupted.IxlIn.Message_Corrupted OIM DiodeOut.Bus_Silent.IxlIn.Interlocking_Link_Lost END FUNCTION FUNCTION Interlocking_Gateway_Primary INPUT DiodeIn INPUT NetIn INPUT PowerIn OUTPUT IxlPrimOut OIM IxlPrimOut.Interlocking_Link_Lost.OR(DiodeIn.Bus_Silent; NetIn.Bus_Silent; PowerIn.Power_Lost) OIM IxlPrimOut.Route_NotLocked.DiodeIn.Message_Corrupted OIM IxlPrimOut.RouteLock_StatusFalse.DiodeIn.Message_Corrupted OIM IxlPrimOut.Message_Corrupted.OR(DiodeIn.Message_Corrupted; NetIn.Message_Corrupted) END FUNCTION FUNCTION Interlocking_Gateway_Backup INPUT IxlBackupIn INPUT NetIn INPUT PowerIn OUTPUT IxlBkpOut OIM IxlBkpOut.Interlocking_Link_Lost.OR(IxlBackupIn.Interlocking_Link_Lost; NetIn.Bus_Silent; PowerIn.Power_Lost) OIM IxlBkpOut.Route_NotLocked.IxlBackupIn.Route_NotLocked OIM IxlBkpOut.RouteLock_StatusFalse.IxlBackupIn.RouteLock_StatusFalse OIM IxlBkpOut.Message_Corrupted.OR(IxlBackupIn.Message_Corrupted; NetIn.Message_Corrupted) END FUNCTION FUNCTION LegacyFieldElement_Proxy INPUT FieldIn INPUT PowerIn OUTPUT FieldOut OIM FieldOut.Interlocking_Link_Lost.OR(FieldIn.Interlocking_Link_Lost; PowerIn.Power_Lost) OIM FieldOut.RouteLock_StatusFalse.FieldIn.RouteLock_StatusFalse OIM FieldOut.Message_Corrupted.FieldIn.Message_Corrupted END FUNCTION // ================================================================ // Data stores // ================================================================ FUNCTION TopologyDatabase INPUT PowerIn OUTPUT TopoOut OIM TopoOut.Position_Corrupted.PowerIn.Power_Lost OIM TopoOut.Route_NotLocked.PowerIn.Power_Lost END FUNCTION FUNCTION RouteDatabase INPUT PowerIn OUTPUT RouteDBOut OIM RouteDBOut.Route_NotLocked.PowerIn.Power_Lost OIM RouteDBOut.RouteLock_StatusFalse.PowerIn.Power_Lost END FUNCTION FUNCTION TrainRegistry INPUT PowerIn OUTPUT RegOut OIM RegOut.Position_Outdated.PowerIn.Power_Lost OIM RegOut.Position_Corrupted.PowerIn.Power_Lost END FUNCTION // ================================================================ // Core safety functions // ================================================================ FUNCTION TrainPositionManager INPUT TrainReportInA INPUT TrainReportInB INPUT RegIn INPUT TimeIn OUTPUT PositionOut OIM PositionOut.Position_Outdated.OR(AND(TrainReportInA.Message_Corrupted; TrainReportInB.Message_Corrupted); TimeIn.Clock_Lost; RegIn.Position_Outdated) OIM PositionOut.Position_Corrupted.OR(AND(TrainReportInA.Message_Corrupted; TrainReportInB.Message_Corrupted); RegIn.Position_Corrupted) END FUNCTION FUNCTION RouteLocker INPUT IxlPrimIn INPUT IxlBkpIn INPUT RouteDBIn INPUT FieldIn OUTPUT RouteStatus OIM RouteStatus.Route_NotLocked.OR(AND(IxlPrimIn.Route_NotLocked; IxlBkpIn.Route_NotLocked); RouteDBIn.Route_NotLocked) OIM RouteStatus.RouteLock_StatusFalse.OR(AND(IxlPrimIn.RouteLock_StatusFalse; IxlBkpIn.RouteLock_StatusFalse); AND(IxlPrimIn.RouteLock_StatusFalse; FieldIn.RouteLock_StatusFalse)) OIM RouteStatus.Interlocking_Link_Lost.AND(IxlPrimIn.Interlocking_Link_Lost; IxlBkpIn.Interlocking_Link_Lost) END FUNCTION FUNCTION TrainSeparationLogic INPUT PositionIn INPUT TopoIn OUTPUT SeparationOut OIM SeparationOut.MA_TooPermissive.OR(PositionIn.Position_Outdated; PositionIn.Position_Corrupted; TopoIn.Position_Corrupted) OIM SeparationOut.MA_ForConflictingRoute.TopoIn.Route_NotLocked END FUNCTION FUNCTION ConflictDetector INPUT SeparationIn INPUT RouteIn INPUT TopoIn OUTPUT ConflictOut OIM ConflictOut.MA_ForConflictingRoute.OR(SeparationIn.MA_ForConflictingRoute; RouteIn.Route_NotLocked; RouteIn.RouteLock_StatusFalse; TopoIn.Route_NotLocked) OIM ConflictOut.MA_TooPermissive.SeparationIn.MA_TooPermissive END FUNCTION FUNCTION TimeoutSupervisor INPUT TimeIn INPUT PositionIn OUTPUT TimeoutOut OIM TimeoutOut.MA_Extended.OR(TimeIn.Clock_Skew; TimeIn.Clock_Lost; PositionIn.Position_Outdated) OIM TimeoutOut.MA_Late.TimeIn.Clock_Skew END FUNCTION FUNCTION EmergencyMessageHandler INPUT OperatorIn INPUT ERadioIn INPUT PowerIn OUTPUT EmergencyOut OIM EmergencyOut.MA_TooPermissive.OR(OperatorIn.Message_Spoofed; ERadioIn.Message_Spoofed; PowerIn.Power_Lost) OIM EmergencyOut.MA_Missing.OR(ERadioIn.Channel_Silent; PowerIn.Power_Lost) END FUNCTION FUNCTION HandoverCoordinator INPUT NeighbourIn INPUT TimeIn INPUT PowerIn OUTPUT HandoverOut OIM HandoverOut.MA_Duplicated.OR(NeighbourIn.Message_Corrupted; TimeIn.Clock_Skew) OIM HandoverOut.MA_Missing.OR(NeighbourIn.Channel_Silent; PowerIn.Power_Lost) OIM HandoverOut.MA_ForConflictingRoute.NeighbourIn.Message_Spoofed END FUNCTION // ================================================================ // Safe computing platform (2oo3 compute + voter + OS + watchdog) // ================================================================ FUNCTION SafePlatform_OS INPUT NetInA INPUT NetInB INPUT PowerIn INPUT CoolingIn INPUT TimeIn OUTPUT OSOut OIM OSOut.Bus_Silent.AND(NetInA.Bus_Silent; NetInB.Bus_Silent) OIM OSOut.Power_Lost.OR(PowerIn.Power_Lost; CoolingIn.Power_Lost) OIM OSOut.Clock_Skew.TimeIn.Clock_Skew OIM OSOut.Clock_Lost.TimeIn.Clock_Lost END FUNCTION FUNCTION WatchDog_Independent INPUT PowerIn INPUT TimeIn OUTPUT WatchdogOut OIM WatchdogOut.Channel_Silent.OR(PowerIn.Power_Lost; TimeIn.Clock_Lost) OIM WatchdogOut.Channel_Disagreement.TimeIn.Clock_Skew END FUNCTION FUNCTION RBC_ComputeChannel_A INPUT OSIn INPUT WatchdogIn INPUT PositionIn INPUT RouteIn INPUT SeparationIn INPUT ConflictIn INPUT TimeoutIn INPUT EmergencyIn INPUT HandoverIn INPUT TopoIn OUTPUT ChanAOut OIM ChanAOut.MA_TooPermissive.OR(OSIn.Clock_Skew; WatchdogIn.Channel_Disagreement; SeparationIn.MA_TooPermissive; ConflictIn.MA_TooPermissive; EmergencyIn.MA_TooPermissive; TopoIn.Position_Corrupted) OIM ChanAOut.MA_ForConflictingRoute.OR(RouteIn.Route_NotLocked; RouteIn.RouteLock_StatusFalse; ConflictIn.MA_ForConflictingRoute; HandoverIn.MA_ForConflictingRoute) OIM ChanAOut.MA_Extended.TimeoutIn.MA_Extended OIM ChanAOut.MA_Late.OR(OSIn.Clock_Skew; TimeoutIn.MA_Late) OIM ChanAOut.MA_Missing.OR(OSIn.Bus_Silent; OSIn.Power_Lost; WatchdogIn.Channel_Silent; EmergencyIn.MA_Missing; HandoverIn.MA_Missing) OIM ChanAOut.Channel_Silent.OR(OSIn.Bus_Silent; OSIn.Power_Lost) OIM ChanAOut.Channel_Disagreement.OSIn.Clock_Skew END FUNCTION FUNCTION RBC_ComputeChannel_B INPUT OSIn INPUT WatchdogIn INPUT PositionIn INPUT RouteIn INPUT SeparationIn INPUT ConflictIn INPUT TimeoutIn INPUT EmergencyIn INPUT HandoverIn INPUT TopoIn OUTPUT ChanBOut OIM ChanBOut.MA_TooPermissive.OR(OSIn.Clock_Skew; WatchdogIn.Channel_Disagreement; SeparationIn.MA_TooPermissive; ConflictIn.MA_TooPermissive; EmergencyIn.MA_TooPermissive; TopoIn.Position_Corrupted) OIM ChanBOut.MA_ForConflictingRoute.OR(RouteIn.Route_NotLocked; RouteIn.RouteLock_StatusFalse; ConflictIn.MA_ForConflictingRoute; HandoverIn.MA_ForConflictingRoute) OIM ChanBOut.MA_Extended.TimeoutIn.MA_Extended OIM ChanBOut.MA_Late.OR(OSIn.Clock_Skew; TimeoutIn.MA_Late) OIM ChanBOut.MA_Missing.OR(OSIn.Bus_Silent; OSIn.Power_Lost; WatchdogIn.Channel_Silent; EmergencyIn.MA_Missing; HandoverIn.MA_Missing) OIM ChanBOut.Channel_Silent.OR(OSIn.Bus_Silent; OSIn.Power_Lost) OIM ChanBOut.Channel_Disagreement.OSIn.Clock_Skew END FUNCTION FUNCTION RBC_ComputeChannel_C INPUT OSIn INPUT WatchdogIn INPUT PositionIn INPUT RouteIn INPUT SeparationIn INPUT ConflictIn INPUT TimeoutIn INPUT EmergencyIn INPUT HandoverIn INPUT TopoIn OUTPUT ChanCOut OIM ChanCOut.MA_TooPermissive.OR(OSIn.Clock_Skew; WatchdogIn.Channel_Disagreement; SeparationIn.MA_TooPermissive; ConflictIn.MA_TooPermissive; EmergencyIn.MA_TooPermissive; TopoIn.Position_Corrupted) OIM ChanCOut.MA_ForConflictingRoute.OR(RouteIn.Route_NotLocked; RouteIn.RouteLock_StatusFalse; ConflictIn.MA_ForConflictingRoute; HandoverIn.MA_ForConflictingRoute) OIM ChanCOut.MA_Extended.TimeoutIn.MA_Extended OIM ChanCOut.MA_Late.OR(OSIn.Clock_Skew; TimeoutIn.MA_Late) OIM ChanCOut.MA_Missing.OR(OSIn.Bus_Silent; OSIn.Power_Lost; WatchdogIn.Channel_Silent; EmergencyIn.MA_Missing; HandoverIn.MA_Missing) OIM ChanCOut.Channel_Silent.OR(OSIn.Bus_Silent; OSIn.Power_Lost) OIM ChanCOut.Channel_Disagreement.OSIn.Clock_Skew END FUNCTION FUNCTION SafetyVoter INPUT VoteA INPUT VoteB INPUT VoteC INPUT WatchdogIn OUTPUT VotedOut OIM VotedOut.MA_TooPermissive.OR(AND(VoteA.MA_TooPermissive; VoteB.MA_TooPermissive); AND(VoteA.MA_TooPermissive; VoteC.MA_TooPermissive); AND(VoteB.MA_TooPermissive; VoteC.MA_TooPermissive)) OIM VotedOut.MA_ForConflictingRoute.OR(AND(VoteA.MA_ForConflictingRoute; VoteB.MA_ForConflictingRoute); AND(VoteA.MA_ForConflictingRoute; VoteC.MA_ForConflictingRoute); AND(VoteB.MA_ForConflictingRoute; VoteC.MA_ForConflictingRoute)) OIM VotedOut.MA_Extended.OR(AND(VoteA.MA_Extended; VoteB.MA_Extended); AND(VoteA.MA_Extended; VoteC.MA_Extended); AND(VoteB.MA_Extended; VoteC.MA_Extended)) OIM VotedOut.MA_Late.OR(AND(VoteA.MA_Late; VoteB.MA_Late); AND(VoteA.MA_Late; VoteC.MA_Late); AND(VoteB.MA_Late; VoteC.MA_Late)) OIM VotedOut.MA_Missing.OR(AND(VoteA.MA_Missing; VoteB.MA_Missing); AND(VoteA.MA_Missing; VoteC.MA_Missing); AND(VoteB.MA_Missing; VoteC.MA_Missing); WatchdogIn.Channel_Silent) OIM VotedOut.MA_Duplicated.OR(VoteA.Channel_Disagreement; VoteB.Channel_Disagreement; VoteC.Channel_Disagreement) END FUNCTION FUNCTION MovementAuthorityGenerator INPUT VotedIn INPUT CryptoIn INPUT TopoIn OUTPUT MAOut OIM MAOut.MA_TooPermissive.VotedIn.MA_TooPermissive OIM MAOut.MA_ForConflictingRoute.OR(VotedIn.MA_ForConflictingRoute; TopoIn.Route_NotLocked) OIM MAOut.MA_Extended.VotedIn.MA_Extended OIM MAOut.MA_Missing.VotedIn.MA_Missing OIM MAOut.MA_Late.VotedIn.MA_Late OIM MAOut.MA_Duplicated.VotedIn.MA_Duplicated OIM MAOut.Crypto_MAC_Invalid.CryptoIn.Crypto_MAC_Invalid OIM MAOut.Message_Spoofed.CryptoIn.Crypto_MAC_Invalid END FUNCTION // ================================================================ // Operations, SCADA, diagnostics, juridical logging // ================================================================ FUNCTION SCADA_Interface INPUT OperatorIn INPUT PowerIn OUTPUT SCADAOut OIM SCADAOut.Message_Corrupted.OperatorIn.Message_Corrupted OIM SCADAOut.Bus_Silent.PowerIn.Power_Lost END FUNCTION FUNCTION DiagnosticServer INPUT PowerIn INPUT TimeIn OUTPUT DiagOut OIM DiagOut.Bus_Silent.PowerIn.Power_Lost OIM DiagOut.Clock_Skew.TimeIn.Clock_Skew END FUNCTION FUNCTION Logger_Juridical INPUT MAIn INPUT SCADAIn INPUT DiagIn INPUT TimeIn INPUT PowerIn OUTPUT LogOut OIM LogOut.Message_Corrupted.OR(MAIn.MA_TooPermissive; SCADAIn.Message_Corrupted; DiagIn.Bus_Silent; PowerIn.Power_Lost) OIM LogOut.Clock_Skew.TimeIn.Clock_Skew END FUNCTION // ================================================================ // Signal flow — INT declarations // ================================================================ // --- Power distribution chain --- INT ifPwrGrid.RBC.IN.GridPower.PowerSupply_Primary.IN.GridIn INT ifPwrFuel.RBC.IN.BackupGenFuel_Level.DieselGenerator_Backup.IN.FuelLevel INT ifPwrMain.PowerSupply_Primary.OUT.MainsOut.UPS_Battery.IN.MainsIn INT ifPwrUPSHVAC.UPS_Battery.OUT.UPSOut.HVAC_Equipment.IN.PowerIn INT ifPwrUPSNetA.UPS_Battery.OUT.UPSOut.Network_SafeTransport_A.IN.PowerIn INT ifPwrGenNetB.DieselGenerator_Backup.OUT.GenOut.Network_SafeTransport_B.IN.PowerIn INT ifPwrUPSOS.UPS_Battery.OUT.UPSOut.SafePlatform_OS.IN.PowerIn INT ifPwrGenWD.DieselGenerator_Backup.OUT.GenOut.WatchDog_Independent.IN.PowerIn INT ifPwrUPSTime.UPS_Battery.OUT.UPSOut.TimeSync_GPS.IN.PowerIn INT ifPwrUPSCrypto.UPS_Battery.OUT.UPSOut.CryptoServer.IN.PowerIn INT ifPwrGenKey.DieselGenerator_Backup.OUT.GenOut.KeyManagement.IN.PowerIn INT ifPwrUPSERadio.UPS_Battery.OUT.UPSOut.EuroRadio_Stack_Server.IN.PowerIn INT ifPwrUPSGSMA.UPS_Battery.OUT.UPSOut.GSM_R_Gateway_A.IN.PowerIn INT ifPwrGenGSMB.DieselGenerator_Backup.OUT.GenOut.GSM_R_Gateway_B.IN.PowerIn INT ifPwrUPSFRMCS.UPS_Battery.OUT.UPSOut.FRMCS_Gateway_Future.IN.PowerIn INT ifPwrUPSIxlP.UPS_Battery.OUT.UPSOut.Interlocking_Gateway_Primary.IN.PowerIn INT ifPwrGenIxlB.DieselGenerator_Backup.OUT.GenOut.Interlocking_Gateway_Backup.IN.PowerIn INT ifPwrUPSField.UPS_Battery.OUT.UPSOut.LegacyFieldElement_Proxy.IN.PowerIn INT ifPwrUPSTopo.UPS_Battery.OUT.UPSOut.TopologyDatabase.IN.PowerIn INT ifPwrUPSRouteDB.UPS_Battery.OUT.UPSOut.RouteDatabase.IN.PowerIn INT ifPwrUPSReg.UPS_Battery.OUT.UPSOut.TrainRegistry.IN.PowerIn INT ifPwrUPSEmerg.UPS_Battery.OUT.UPSOut.EmergencyMessageHandler.IN.PowerIn INT ifPwrUPSHand.UPS_Battery.OUT.UPSOut.HandoverCoordinator.IN.PowerIn INT ifPwrUPSScada.UPS_Battery.OUT.UPSOut.SCADA_Interface.IN.PowerIn INT ifPwrGenDiag.DieselGenerator_Backup.OUT.GenOut.DiagnosticServer.IN.PowerIn INT ifPwrUPSLog.UPS_Battery.OUT.UPSOut.Logger_Juridical.IN.PowerIn // --- HVAC cooling to compute platform --- INT ifCool.HVAC_Equipment.OUT.CoolingOK.SafePlatform_OS.IN.CoolingIn // --- Network SafeTransport A/B to compute platform --- INT ifNetAOS.Network_SafeTransport_A.OUT.NetOutA.SafePlatform_OS.IN.NetInA INT ifNetBOS.Network_SafeTransport_B.OUT.NetOutB.SafePlatform_OS.IN.NetInB INT ifNetAERadio.Network_SafeTransport_A.OUT.NetOutA.EuroRadio_Stack_Server.IN.NetIn INT ifNetBIxlP.Network_SafeTransport_B.OUT.NetOutB.Interlocking_Gateway_Primary.IN.NetIn INT ifNetAIxlB.Network_SafeTransport_A.OUT.NetOutA.Interlocking_Gateway_Backup.IN.NetIn // --- Time sync --- INT ifGPS.RBC.IN.GPS_TimeSource.TimeSync_GPS.IN.GPSIn INT ifTimeOS.TimeSync_GPS.OUT.TimeRef.SafePlatform_OS.IN.TimeIn INT ifTimeWD.TimeSync_GPS.OUT.TimeRef.WatchDog_Independent.IN.TimeIn INT ifTimeTimeout.TimeSync_GPS.OUT.TimeRef.TimeoutSupervisor.IN.TimeIn INT ifTimePos.TimeSync_GPS.OUT.TimeRef.TrainPositionManager.IN.TimeIn INT ifTimeHand.TimeSync_GPS.OUT.TimeRef.HandoverCoordinator.IN.TimeIn INT ifTimeDiag.TimeSync_GPS.OUT.TimeRef.DiagnosticServer.IN.TimeIn INT ifTimeLog.TimeSync_GPS.OUT.TimeRef.Logger_Juridical.IN.TimeIn // --- Crypto chain --- INT ifKey.KeyManagement.OUT.KeyOut.CryptoServer.IN.KeyIn INT ifMACERadio.CryptoServer.OUT.MACService.EuroRadio_Stack_Server.IN.MACIn INT ifMACMA.CryptoServer.OUT.MACService.MovementAuthorityGenerator.IN.CryptoIn // --- Radio chain --- INT ifTrainA.RBC.IN.TrainReport_A.GSM_R_Gateway_A.IN.TrainIn INT ifTrainB.RBC.IN.TrainReport_B.GSM_R_Gateway_B.IN.TrainIn INT ifFRMCS.RBC.IN.FRMCS_Traffic.FRMCS_Gateway_Future.IN.FRMCSIn INT ifERadioGSMA.EuroRadio_Stack_Server.OUT.ERadioOut.GSM_R_Gateway_A.IN.ERadioIn INT ifERadioGSMB.EuroRadio_Stack_Server.OUT.ERadioOut.GSM_R_Gateway_B.IN.ERadioIn INT ifERadioFRMCS.EuroRadio_Stack_Server.OUT.ERadioOut.FRMCS_Gateway_Future.IN.ERadioIn INT ifERadioEmerg.GSM_R_Gateway_A.OUT.RadioAOut.EmergencyMessageHandler.IN.ERadioIn INT ifERadioHand.GSM_R_Gateway_B.OUT.RadioBOut.HandoverCoordinator.IN.NeighbourIn // --- Interlocking chain --- INT ifIxlPrim.RBC.IN.Interlocking_State_Primary.DataDiode_FromInterlocking.IN.IxlIn INT ifIxlBkp.RBC.IN.Interlocking_State_Backup.Interlocking_Gateway_Backup.IN.IxlBackupIn INT ifDiode.DataDiode_FromInterlocking.OUT.DiodeOut.Interlocking_Gateway_Primary.IN.DiodeIn INT ifField.RBC.IN.FieldElement_Status.LegacyFieldElement_Proxy.IN.FieldIn INT ifIxlPrimRouteLock.Interlocking_Gateway_Primary.OUT.IxlPrimOut.RouteLocker.IN.IxlPrimIn INT ifIxlBkpRouteLock.Interlocking_Gateway_Backup.OUT.IxlBkpOut.RouteLocker.IN.IxlBkpIn INT ifFieldRouteLock.LegacyFieldElement_Proxy.OUT.FieldOut.RouteLocker.IN.FieldIn // --- Data store connections --- INT ifRouteDB.RouteDatabase.OUT.RouteDBOut.RouteLocker.IN.RouteDBIn INT ifRegPos.TrainRegistry.OUT.RegOut.TrainPositionManager.IN.RegIn INT ifTopoSep.TopologyDatabase.OUT.TopoOut.TrainSeparationLogic.IN.TopoIn INT ifTopoConf.TopologyDatabase.OUT.TopoOut.ConflictDetector.IN.TopoIn INT ifTopoA.TopologyDatabase.OUT.TopoOut.RBC_ComputeChannel_A.IN.TopoIn INT ifTopoB.TopologyDatabase.OUT.TopoOut.RBC_ComputeChannel_B.IN.TopoIn INT ifTopoC.TopologyDatabase.OUT.TopoOut.RBC_ComputeChannel_C.IN.TopoIn INT ifTopoMA.TopologyDatabase.OUT.TopoOut.MovementAuthorityGenerator.IN.TopoIn // --- Position manager feeders --- INT ifPosRepA.GSM_R_Gateway_A.OUT.RadioAOut.TrainPositionManager.IN.TrainReportInA INT ifPosRepB.GSM_R_Gateway_B.OUT.RadioBOut.TrainPositionManager.IN.TrainReportInB // --- Core function cross-wiring --- INT ifPosSep.TrainPositionManager.OUT.PositionOut.TrainSeparationLogic.IN.PositionIn INT ifPosTimeout.TrainPositionManager.OUT.PositionOut.TimeoutSupervisor.IN.PositionIn INT ifSepConf.TrainSeparationLogic.OUT.SeparationOut.ConflictDetector.IN.SeparationIn INT ifRouteConf.RouteLocker.OUT.RouteStatus.ConflictDetector.IN.RouteIn // --- Compute channels receive core function outputs --- INT ifPosA.TrainPositionManager.OUT.PositionOut.RBC_ComputeChannel_A.IN.PositionIn INT ifPosB.TrainPositionManager.OUT.PositionOut.RBC_ComputeChannel_B.IN.PositionIn INT ifPosC.TrainPositionManager.OUT.PositionOut.RBC_ComputeChannel_C.IN.PositionIn INT ifRouteA.RouteLocker.OUT.RouteStatus.RBC_ComputeChannel_A.IN.RouteIn INT ifRouteB.RouteLocker.OUT.RouteStatus.RBC_ComputeChannel_B.IN.RouteIn INT ifRouteC.RouteLocker.OUT.RouteStatus.RBC_ComputeChannel_C.IN.RouteIn INT ifSepA.TrainSeparationLogic.OUT.SeparationOut.RBC_ComputeChannel_A.IN.SeparationIn INT ifSepB.TrainSeparationLogic.OUT.SeparationOut.RBC_ComputeChannel_B.IN.SeparationIn INT ifSepC.TrainSeparationLogic.OUT.SeparationOut.RBC_ComputeChannel_C.IN.SeparationIn INT ifConfA.ConflictDetector.OUT.ConflictOut.RBC_ComputeChannel_A.IN.ConflictIn INT ifConfB.ConflictDetector.OUT.ConflictOut.RBC_ComputeChannel_B.IN.ConflictIn INT ifConfC.ConflictDetector.OUT.ConflictOut.RBC_ComputeChannel_C.IN.ConflictIn INT ifTOutA.TimeoutSupervisor.OUT.TimeoutOut.RBC_ComputeChannel_A.IN.TimeoutIn INT ifTOutB.TimeoutSupervisor.OUT.TimeoutOut.RBC_ComputeChannel_B.IN.TimeoutIn INT ifTOutC.TimeoutSupervisor.OUT.TimeoutOut.RBC_ComputeChannel_C.IN.TimeoutIn INT ifEmergA.EmergencyMessageHandler.OUT.EmergencyOut.RBC_ComputeChannel_A.IN.EmergencyIn INT ifEmergB.EmergencyMessageHandler.OUT.EmergencyOut.RBC_ComputeChannel_B.IN.EmergencyIn INT ifEmergC.EmergencyMessageHandler.OUT.EmergencyOut.RBC_ComputeChannel_C.IN.EmergencyIn INT ifHandA.HandoverCoordinator.OUT.HandoverOut.RBC_ComputeChannel_A.IN.HandoverIn INT ifHandB.HandoverCoordinator.OUT.HandoverOut.RBC_ComputeChannel_B.IN.HandoverIn INT ifHandC.HandoverCoordinator.OUT.HandoverOut.RBC_ComputeChannel_C.IN.HandoverIn // --- OS and watchdog to compute channels --- INT ifOSA.SafePlatform_OS.OUT.OSOut.RBC_ComputeChannel_A.IN.OSIn INT ifOSB.SafePlatform_OS.OUT.OSOut.RBC_ComputeChannel_B.IN.OSIn INT ifOSC.SafePlatform_OS.OUT.OSOut.RBC_ComputeChannel_C.IN.OSIn INT ifWDA.WatchDog_Independent.OUT.WatchdogOut.RBC_ComputeChannel_A.IN.WatchdogIn INT ifWDB.WatchDog_Independent.OUT.WatchdogOut.RBC_ComputeChannel_B.IN.WatchdogIn INT ifWDC.WatchDog_Independent.OUT.WatchdogOut.RBC_ComputeChannel_C.IN.WatchdogIn // --- Channels to voter --- INT ifVoteA.RBC_ComputeChannel_A.OUT.ChanAOut.SafetyVoter.IN.VoteA INT ifVoteB.RBC_ComputeChannel_B.OUT.ChanBOut.SafetyVoter.IN.VoteB INT ifVoteC.RBC_ComputeChannel_C.OUT.ChanCOut.SafetyVoter.IN.VoteC INT ifWDVote.WatchDog_Independent.OUT.WatchdogOut.SafetyVoter.IN.WatchdogIn // --- Voter to MA generator --- INT ifVotedMA.SafetyVoter.OUT.VotedOut.MovementAuthorityGenerator.IN.VotedIn // --- SCADA & operator & emergency --- INT ifOp.RBC.IN.Operator_Cmd.SCADA_Interface.IN.OperatorIn INT ifOpEmerg.SCADA_Interface.OUT.SCADAOut.EmergencyMessageHandler.IN.OperatorIn INT ifHandoverIn.RBC.IN.AdjacentRBC_Handover_In.HandoverCoordinator.IN.NeighbourIn // --- Juridical logger feeders --- INT ifMALog.MovementAuthorityGenerator.OUT.MAOut.Logger_Juridical.IN.MAIn INT ifScadaLog.SCADA_Interface.OUT.SCADAOut.Logger_Juridical.IN.SCADAIn INT ifDiagLog.DiagnosticServer.OUT.DiagOut.Logger_Juridical.IN.DiagIn // --- Top-level outputs --- INT ifMAGenGSMA.MovementAuthorityGenerator.OUT.MAOut.GSM_R_Gateway_A.IN.ERadioIn INT ifMAGenGSMB.MovementAuthorityGenerator.OUT.MAOut.GSM_R_Gateway_B.IN.ERadioIn INT ifMAGenFRMCS.MovementAuthorityGenerator.OUT.MAOut.FRMCS_Gateway_Future.IN.ERadioIn INT ifMAOutA.GSM_R_Gateway_A.OUT.MA_OutA.RBC.OUT.MA_Grant_GSMR_A INT ifMAOutB.GSM_R_Gateway_B.OUT.MA_OutB.RBC.OUT.MA_Grant_GSMR_B INT ifMAOutFRMCS.FRMCS_Gateway_Future.OUT.MA_OutFRMCS.RBC.OUT.MA_Grant_FRMCS INT ifIxlCmdOut.Interlocking_Gateway_Primary.OUT.IxlPrimOut.RBC.OUT.Interlocking_Command INT ifHandoverOut.HandoverCoordinator.OUT.HandoverOut.RBC.OUT.AdjacentRBC_Handover_Out INT ifScadaStatus.SCADA_Interface.OUT.SCADAOut.RBC.OUT.SCADA_Status INT ifLogOut.Logger_Juridical.OUT.LogOut.RBC.OUT.JuridicalLog // ================================================================ // Top-Level Event // ================================================================ TLE IncorrectMovementAuthorityGranted.MA_Grant_GSMR_A.MA_TooPermissive END FUNCTION // ====================================================================== // Fault rate catalogue // ISF: mu = 1.0e-06, sigma = 2.5e-07, clamped [3e-7, 2e-6] // SF: mu = 2.5e-07, sigma = 1.375e-07, clamped [5e-8, 5e-7] // TF: mu = 5.0e-08, sigma = 1.5e-08, clamped [1e-8, 1e-7] // ====================================================================== // --- ISF (external top-level inputs) --- ISF RBC.GridPower.Power_Lost 1.1683e-06 ISF RBC.BackupGenFuel_Level.Power_Lost 8.0288e-07 ISF RBC.GPS_TimeSource.Clock_Lost 1.2447e-06 ISF RBC.GPS_TimeSource.Clock_Skew 1.0442e-06 ISF RBC.Interlocking_State_Primary.Message_Corrupted 9.3104e-07 ISF RBC.Interlocking_State_Primary.Interlocking_Link_Lost 1.1442e-06 ISF RBC.Interlocking_State_Backup.Interlocking_Link_Lost 5.4207e-07 ISF RBC.Interlocking_State_Backup.Route_NotLocked 1.0183e-06 ISF RBC.Interlocking_State_Backup.RouteLock_StatusFalse 1.1795e-06 ISF RBC.Interlocking_State_Backup.Message_Corrupted 1.2728e-06 ISF RBC.TrainReport_A.Message_Corrupted 9.4047e-07 ISF RBC.TrainReport_B.Message_Corrupted 8.8855e-07 ISF RBC.FRMCS_Traffic.Message_Corrupted 1.0968e-06 ISF RBC.AdjacentRBC_Handover_In.Message_Corrupted 1.0989e-06 ISF RBC.AdjacentRBC_Handover_In.Channel_Silent 9.2039e-07 ISF RBC.AdjacentRBC_Handover_In.Message_Spoofed 1.1310e-06 ISF RBC.Operator_Cmd.Message_Corrupted 1.0294e-06 ISF RBC.Operator_Cmd.Message_Spoofed 1.3807e-06 ISF RBC.FieldElement_Status.Interlocking_Link_Lost 9.1048e-07 ISF RBC.FieldElement_Status.RouteLock_StatusFalse 8.4107e-07 ISF RBC.FieldElement_Status.Message_Corrupted 4.7993e-07 // --- SF (systemic internal faults of subfunctions) --- SF PowerSupply_Primary.MainsOut.Power_Lost 1.1851e-07 SF UPS_Battery.UPSOut.Power_Lost 8.8673e-08 SF DieselGenerator_Backup.GenOut.Power_Lost 1.1876e-07 SF HVAC_Equipment.CoolingOK.Power_Lost 2.1112e-07 SF Network_SafeTransport_A.NetOutA.Bus_Silent 1.1971e-07 SF Network_SafeTransport_A.NetOutA.Message_Corrupted 8.4582e-08 SF Network_SafeTransport_B.NetOutB.Bus_Silent 1.1973e-07 SF Network_SafeTransport_B.NetOutB.Message_Corrupted 9.0783e-08 SF TimeSync_GPS.TimeRef.Clock_Skew 1.1933e-07 SF TimeSync_GPS.TimeRef.Clock_Lost 1.1675e-07 SF CryptoServer.MACService.Crypto_MAC_Invalid 1.2948e-07 SF CryptoServer.MACService.Message_Corrupted 7.3173e-08 SF KeyManagement.KeyOut.Crypto_MAC_Invalid 1.0256e-07 SF EuroRadio_Stack_Server.ERadioOut.Message_Corrupted 1.1464e-07 SF EuroRadio_Stack_Server.ERadioOut.Message_Spoofed 6.2680e-08 SF EuroRadio_Stack_Server.ERadioOut.Channel_Silent 8.5026e-08 SF GSM_R_Gateway_A.RadioAOut.Message_Corrupted 1.0206e-07 SF GSM_R_Gateway_A.RadioAOut.Channel_Silent 5.7932e-08 SF GSM_R_Gateway_A.RadioAOut.Message_Spoofed 6.4629e-08 SF GSM_R_Gateway_A.MA_OutA.MA_Missing 2.8760e-07 SF GSM_R_Gateway_A.MA_OutA.MA_Late 4.1448e-07 SF GSM_R_Gateway_B.RadioBOut.Message_Corrupted 1.0141e-07 SF GSM_R_Gateway_B.RadioBOut.Channel_Silent 3.4462e-07 SF GSM_R_Gateway_B.RadioBOut.Message_Spoofed 6.9715e-08 SF GSM_R_Gateway_B.MA_OutB.MA_Missing 1.5308e-07 SF GSM_R_Gateway_B.MA_OutB.MA_Late 2.7076e-07 SF FRMCS_Gateway_Future.FRMCSOut.Message_Corrupted 2.8105e-07 SF FRMCS_Gateway_Future.FRMCSOut.Channel_Silent 4.3890e-07 SF FRMCS_Gateway_Future.MA_OutFRMCS.MA_Missing 5.0000e-08 SF FRMCS_Gateway_Future.MA_OutFRMCS.MA_Late 3.9065e-07 SF DataDiode_FromInterlocking.DiodeOut.Message_Corrupted 2.6851e-07 SF DataDiode_FromInterlocking.DiodeOut.Bus_Silent 3.5219e-07 SF Interlocking_Gateway_Primary.IxlPrimOut.Interlocking_Link_Lost 2.1229e-07 SF Interlocking_Gateway_Primary.IxlPrimOut.Route_NotLocked 8.5605e-08 SF Interlocking_Gateway_Primary.IxlPrimOut.RouteLock_StatusFalse 3.5211e-07 SF Interlocking_Gateway_Primary.IxlPrimOut.Message_Corrupted 3.0983e-07 SF Interlocking_Gateway_Backup.IxlBkpOut.Interlocking_Link_Lost 2.8935e-07 SF Interlocking_Gateway_Backup.IxlBkpOut.Route_NotLocked 8.4589e-08 SF Interlocking_Gateway_Backup.IxlBkpOut.RouteLock_StatusFalse 2.6455e-07 SF Interlocking_Gateway_Backup.IxlBkpOut.Message_Corrupted 2.6075e-07 SF LegacyFieldElement_Proxy.FieldOut.Interlocking_Link_Lost 4.2309e-07 SF LegacyFieldElement_Proxy.FieldOut.RouteLock_StatusFalse 2.7572e-07 SF LegacyFieldElement_Proxy.FieldOut.Message_Corrupted 1.0203e-07 SF TopologyDatabase.TopoOut.Position_Corrupted 1.4671e-07 SF TopologyDatabase.TopoOut.Route_NotLocked 2.7816e-07 SF RouteDatabase.RouteDBOut.Route_NotLocked 1.4895e-07 SF RouteDatabase.RouteDBOut.RouteLock_StatusFalse 3.1448e-07 SF TrainRegistry.RegOut.Position_Outdated 1.0495e-07 SF TrainRegistry.RegOut.Position_Corrupted 2.7946e-07 SF TrainPositionManager.PositionOut.Position_Outdated 3.9109e-07 SF TrainPositionManager.PositionOut.Position_Corrupted 2.5891e-07 SF RouteLocker.RouteStatus.Route_NotLocked 4.9757e-07 SF RouteLocker.RouteStatus.RouteLock_StatusFalse 3.7005e-07 SF RouteLocker.RouteStatus.Interlocking_Link_Lost 5.0000e-08 SF TrainSeparationLogic.SeparationOut.MA_TooPermissive 4.1236e-07 SF TrainSeparationLogic.SeparationOut.MA_ForConflictingRoute 2.3499e-07 SF ConflictDetector.ConflictOut.MA_ForConflictingRoute 2.0159e-07 SF ConflictDetector.ConflictOut.MA_TooPermissive 2.9605e-07 SF TimeoutSupervisor.TimeoutOut.MA_Extended 5.0000e-08 SF TimeoutSupervisor.TimeoutOut.MA_Late 2.8348e-07 SF EmergencyMessageHandler.EmergencyOut.MA_TooPermissive 2.7279e-07 SF EmergencyMessageHandler.EmergencyOut.MA_Missing 3.8112e-07 SF HandoverCoordinator.HandoverOut.MA_Duplicated 2.0105e-07 SF HandoverCoordinator.HandoverOut.MA_Missing 4.1225e-07 SF HandoverCoordinator.HandoverOut.MA_ForConflictingRoute 1.5480e-07 SF SafePlatform_OS.OSOut.Bus_Silent 5.0000e-08 SF SafePlatform_OS.OSOut.Power_Lost 5.0000e-07 SF SafePlatform_OS.OSOut.Clock_Skew 2.9807e-07 SF SafePlatform_OS.OSOut.Clock_Lost 2.7718e-07 SF WatchDog_Independent.WatchdogOut.Channel_Silent 2.1562e-07 SF WatchDog_Independent.WatchdogOut.Channel_Disagreement 1.5843e-07 SF RBC_ComputeChannel_A.ChanAOut.MA_TooPermissive 2.7037e-07 SF RBC_ComputeChannel_A.ChanAOut.MA_ForConflictingRoute 1.3985e-07 SF RBC_ComputeChannel_A.ChanAOut.MA_Extended 4.7451e-07 SF RBC_ComputeChannel_A.ChanAOut.MA_Late 2.1336e-07 SF RBC_ComputeChannel_A.ChanAOut.MA_Missing 3.3531e-07 SF RBC_ComputeChannel_A.ChanAOut.Channel_Silent 5.0000e-08 SF RBC_ComputeChannel_A.ChanAOut.Channel_Disagreement 3.2670e-07 SF RBC_ComputeChannel_B.ChanBOut.MA_TooPermissive 5.0000e-08 SF RBC_ComputeChannel_B.ChanBOut.MA_ForConflictingRoute 5.1429e-08 SF RBC_ComputeChannel_B.ChanBOut.MA_Extended 3.5329e-07 SF RBC_ComputeChannel_B.ChanBOut.MA_Late 2.4365e-07 SF RBC_ComputeChannel_B.ChanBOut.MA_Missing 3.1041e-07 SF RBC_ComputeChannel_B.ChanBOut.Channel_Silent 2.3753e-07 SF RBC_ComputeChannel_B.ChanBOut.Channel_Disagreement 1.4887e-07 SF RBC_ComputeChannel_C.ChanCOut.MA_TooPermissive 7.0663e-08 SF RBC_ComputeChannel_C.ChanCOut.MA_ForConflictingRoute 1.8395e-07 SF RBC_ComputeChannel_C.ChanCOut.MA_Extended 2.1459e-07 SF RBC_ComputeChannel_C.ChanCOut.MA_Late 2.9934e-07 SF RBC_ComputeChannel_C.ChanCOut.MA_Missing 2.7393e-07 SF RBC_ComputeChannel_C.ChanCOut.Channel_Silent 2.0554e-07 SF RBC_ComputeChannel_C.ChanCOut.Channel_Disagreement 2.9549e-07 SF SafetyVoter.VotedOut.MA_TooPermissive 2.4878e-07 SF SafetyVoter.VotedOut.MA_ForConflictingRoute 5.0000e-08 SF SafetyVoter.VotedOut.MA_Extended 2.3663e-07 SF SafetyVoter.VotedOut.MA_Late 3.4087e-07 SF SafetyVoter.VotedOut.MA_Missing 1.7092e-07 SF SafetyVoter.VotedOut.MA_Duplicated 2.2137e-07 SF MovementAuthorityGenerator.MAOut.MA_TooPermissive 3.3610e-07 SF MovementAuthorityGenerator.MAOut.MA_ForConflictingRoute 1.0220e-07 SF MovementAuthorityGenerator.MAOut.MA_Extended 3.8880e-07 SF MovementAuthorityGenerator.MAOut.MA_Missing 2.3427e-07 SF MovementAuthorityGenerator.MAOut.MA_Late 2.8883e-07 SF MovementAuthorityGenerator.MAOut.MA_Duplicated 1.9992e-07 SF MovementAuthorityGenerator.MAOut.Crypto_MAC_Invalid 3.2808e-07 SF MovementAuthorityGenerator.MAOut.Message_Spoofed 3.1565e-07 SF SCADA_Interface.SCADAOut.Message_Corrupted 3.6820e-07 SF SCADA_Interface.SCADAOut.Bus_Silent 1.3933e-07 SF DiagnosticServer.DiagOut.Bus_Silent 2.1229e-07 SF DiagnosticServer.DiagOut.Clock_Skew 1.5308e-07 SF Logger_Juridical.LogOut.Message_Corrupted 1.0495e-07 SF Logger_Juridical.LogOut.Clock_Skew 2.7946e-07 // --- TF (transfer faults on the INT interfaces) --- TF ifPwrGrid.Power_Lost 4.8492e-08 TF ifPwrFuel.Power_Lost 4.4934e-08 TF ifPwrMain.Power_Lost 4.4777e-08 TF ifPwrUPSHVAC.Power_Lost 6.3956e-08 TF ifPwrUPSNetA.Power_Lost 6.4784e-08 TF ifPwrGenNetB.Power_Lost 4.4431e-08 TF ifPwrUPSOS.Power_Lost 6.6739e-08 TF ifPwrGenWD.Power_Lost 3.1014e-08 TF ifPwrUPSTime.Power_Lost 4.9867e-08 TF ifPwrUPSCrypto.Power_Lost 5.7909e-08 TF ifPwrGenKey.Power_Lost 5.5167e-08 TF ifPwrUPSERadio.Power_Lost 2.8924e-08 TF ifPwrUPSGSMA.Power_Lost 8.3734e-08 TF ifPwrGenGSMB.Power_Lost 5.8973e-08 TF ifPwrUPSFRMCS.Power_Lost 4.1595e-08 TF ifPwrUPSIxlP.Power_Lost 4.6782e-08 TF ifPwrGenIxlB.Power_Lost 5.5632e-08 TF ifPwrUPSField.Power_Lost 5.6130e-08 TF ifPwrUPSTopo.Power_Lost 8.6912e-08 TF ifPwrUPSRouteDB.Power_Lost 2.5807e-08 TF ifPwrUPSReg.Power_Lost 5.1981e-08 TF ifPwrUPSEmerg.Power_Lost 6.0412e-08 TF ifPwrUPSHand.Power_Lost 3.7631e-08 TF ifPwrUPSScada.Power_Lost 5.0492e-08 TF ifPwrGenDiag.Power_Lost 7.2313e-08 TF ifPwrUPSLog.Power_Lost 4.6978e-08 TF ifCool.Power_Lost 5.5716e-08 TF ifNetAOS.Bus_Silent 4.0523e-08 TF ifNetAOS.Message_Corrupted 6.8961e-08 TF ifNetBOS.Bus_Silent 3.4414e-08 TF ifNetBOS.Message_Corrupted 4.7946e-08 TF ifNetAERadio.Bus_Silent 4.5321e-08 TF ifNetAERadio.Message_Corrupted 6.2564e-08 TF ifNetBIxlP.Bus_Silent 7.5380e-08 TF ifNetBIxlP.Message_Corrupted 2.6888e-08 TF ifNetAIxlB.Bus_Silent 5.6067e-08 TF ifNetAIxlB.Message_Corrupted 4.8738e-08 TF ifGPS.Clock_Skew 4.4252e-08 TF ifGPS.Clock_Lost 5.6545e-08 TF ifTimeOS.Clock_Skew 5.4266e-08 TF ifTimeOS.Clock_Lost 5.8372e-08 TF ifTimeWD.Clock_Skew 5.6733e-08 TF ifTimeWD.Clock_Lost 4.8839e-08 TF ifTimeTimeout.Clock_Skew 4.8950e-08 TF ifTimeTimeout.Clock_Lost 7.4157e-08 TF ifTimePos.Clock_Lost 4.2769e-08 TF ifTimeHand.Clock_Skew 3.4640e-08 TF ifTimeDiag.Clock_Skew 5.0424e-08 TF ifTimeLog.Clock_Skew 6.7063e-08 TF ifKey.Crypto_MAC_Invalid 7.2018e-08 TF ifMACERadio.Crypto_MAC_Invalid 2.9680e-08 TF ifMACMA.Crypto_MAC_Invalid 2.5919e-08 TF ifTrainA.Message_Corrupted 4.9564e-08 TF ifTrainB.Message_Corrupted 5.5140e-08 TF ifFRMCS.Message_Corrupted 3.3196e-08 TF ifERadioGSMA.Message_Corrupted 5.6132e-08 TF ifERadioGSMA.Channel_Silent 5.3207e-08 TF ifERadioGSMA.Message_Spoofed 4.7102e-08 TF ifERadioGSMB.Message_Corrupted 5.5968e-08 TF ifERadioGSMB.Channel_Silent 5.8060e-08 TF ifERadioGSMB.Message_Spoofed 6.1453e-08 TF ifERadioFRMCS.Message_Corrupted 4.6924e-08 TF ifERadioFRMCS.Channel_Silent 4.3127e-08 TF ifERadioEmerg.Channel_Silent 3.5542e-08 TF ifERadioEmerg.Message_Spoofed 3.8918e-08 TF ifERadioHand.Message_Corrupted 4.9826e-08 TF ifERadioHand.Channel_Silent 4.2992e-08 TF ifERadioHand.Message_Spoofed 5.2998e-08 TF ifIxlPrim.Message_Corrupted 2.5443e-08 TF ifIxlPrim.Interlocking_Link_Lost 5.4632e-08 TF ifIxlBkp.Interlocking_Link_Lost 4.8492e-08 TF ifIxlBkp.Route_NotLocked 4.4934e-08 TF ifIxlBkp.RouteLock_StatusFalse 4.4777e-08 TF ifIxlBkp.Message_Corrupted 6.3956e-08 TF ifDiode.Message_Corrupted 6.4784e-08 TF ifDiode.Bus_Silent 4.4431e-08 TF ifField.Interlocking_Link_Lost 6.6739e-08 TF ifField.RouteLock_StatusFalse 3.1014e-08 TF ifField.Message_Corrupted 4.9867e-08 TF ifIxlPrimRouteLock.Route_NotLocked 5.7909e-08 TF ifIxlPrimRouteLock.RouteLock_StatusFalse 5.5167e-08 TF ifIxlPrimRouteLock.Interlocking_Link_Lost 2.8924e-08 TF ifIxlBkpRouteLock.Route_NotLocked 8.3734e-08 TF ifIxlBkpRouteLock.RouteLock_StatusFalse 5.8973e-08 TF ifIxlBkpRouteLock.Interlocking_Link_Lost 4.1595e-08 TF ifFieldRouteLock.RouteLock_StatusFalse 4.6782e-08 TF ifRouteDB.Route_NotLocked 5.5632e-08 TF ifRouteDB.RouteLock_StatusFalse 5.6130e-08 TF ifRegPos.Position_Outdated 8.6912e-08 TF ifRegPos.Position_Corrupted 2.5807e-08 TF ifTopoSep.Position_Corrupted 5.1981e-08 TF ifTopoSep.Route_NotLocked 6.0412e-08 TF ifTopoConf.Route_NotLocked 3.7631e-08 TF ifTopoA.Position_Corrupted 5.0492e-08 TF ifTopoB.Position_Corrupted 7.2313e-08 TF ifTopoC.Position_Corrupted 4.6978e-08 TF ifTopoMA.Route_NotLocked 5.5716e-08 TF ifPosRepA.Message_Corrupted 4.0523e-08 TF ifPosRepB.Message_Corrupted 6.8961e-08 TF ifPosSep.Position_Outdated 3.4414e-08 TF ifPosSep.Position_Corrupted 4.7946e-08 TF ifPosTimeout.Position_Outdated 4.5321e-08 TF ifSepConf.MA_TooPermissive 6.2564e-08 TF ifSepConf.MA_ForConflictingRoute 7.5380e-08 TF ifRouteConf.Route_NotLocked 2.6888e-08 TF ifRouteConf.RouteLock_StatusFalse 5.6067e-08 TF ifPosA.Position_Outdated 4.8738e-08 TF ifPosB.Position_Outdated 4.4252e-08 TF ifPosC.Position_Outdated 5.6545e-08 TF ifRouteA.Route_NotLocked 5.4266e-08 TF ifRouteA.RouteLock_StatusFalse 5.8372e-08 TF ifRouteB.Route_NotLocked 5.6733e-08 TF ifRouteB.RouteLock_StatusFalse 4.8839e-08 TF ifRouteC.Route_NotLocked 4.8950e-08 TF ifRouteC.RouteLock_StatusFalse 7.4157e-08 TF ifSepA.MA_TooPermissive 4.2769e-08 TF ifSepB.MA_TooPermissive 3.4640e-08 TF ifSepC.MA_TooPermissive 5.0424e-08 TF ifConfA.MA_ForConflictingRoute 6.7063e-08 TF ifConfB.MA_ForConflictingRoute 7.2018e-08 TF ifConfC.MA_ForConflictingRoute 2.9680e-08 TF ifTOutA.MA_Extended 2.5919e-08 TF ifTOutB.MA_Extended 4.9564e-08 TF ifTOutC.MA_Extended 5.5140e-08 TF ifEmergA.MA_TooPermissive 3.3196e-08 TF ifEmergB.MA_TooPermissive 5.6132e-08 TF ifEmergC.MA_TooPermissive 5.3207e-08 TF ifHandA.MA_ForConflictingRoute 4.7102e-08 TF ifHandB.MA_ForConflictingRoute 5.5968e-08 TF ifHandC.MA_ForConflictingRoute 5.8060e-08 TF ifOSA.Clock_Skew 6.1453e-08 TF ifOSB.Clock_Skew 4.6924e-08 TF ifOSC.Clock_Skew 4.3127e-08 TF ifWDA.Channel_Silent 3.5542e-08 TF ifWDB.Channel_Silent 3.8918e-08 TF ifWDC.Channel_Silent 4.9826e-08 TF ifVoteA.MA_TooPermissive 4.2992e-08 TF ifVoteB.MA_TooPermissive 5.2998e-08 TF ifVoteC.MA_TooPermissive 2.5443e-08 TF ifWDVote.Channel_Silent 5.4632e-08 TF ifVotedMA.MA_TooPermissive 4.8492e-08 TF ifOp.Message_Corrupted 4.4934e-08 TF ifOpEmerg.Message_Spoofed 4.4777e-08 TF ifHandoverIn.Message_Corrupted 6.3956e-08 TF ifHandoverIn.Channel_Silent 6.4784e-08 TF ifHandoverIn.Message_Spoofed 4.4431e-08 TF ifMALog.MA_TooPermissive 6.6739e-08 TF ifScadaLog.Message_Corrupted 3.1014e-08 TF ifDiagLog.Bus_Silent 4.9867e-08 TF ifMAGenGSMA.MA_TooPermissive 5.7909e-08 TF ifMAGenGSMB.MA_TooPermissive 5.5167e-08 TF ifMAGenFRMCS.MA_TooPermissive 2.8924e-08 TF ifMAOutA.MA_TooPermissive 8.3734e-08 TF ifMAOutB.MA_TooPermissive 5.8973e-08 TF ifMAOutFRMCS.MA_TooPermissive 4.1595e-08 TF ifIxlCmdOut.Message_Corrupted 4.6782e-08 TF ifHandoverOut.MA_Duplicated 5.5632e-08 TF ifScadaStatus.Bus_Silent 5.6130e-08 TF ifLogOut.Message_Corrupted 8.6912e-08