EN 50128

Area	Railway applications
title	Telecommunication technology, signaling technology and data processing systems
Brief description:	Software for railway control and monitoring systems
Latest edition	2012-03
ISO

The EN 50128 is a European standard for safety-related software, the railway , both trackside and zugseitig. Together with EN 50129 for the hardware and the approval processes, EN 50128 is a specialization of EN 61508 . The EN 50128 is a process standard. It shows which procedures, principles and measures are to be applied so that the software is considered secure.

The first version of EN 50128 was published in 2001, the currently valid version of EN 50128 was drawn up by the VDE in German and was put into effect by CENELEC in March 2012 . The full name is: DIN EN 50128; VDE 0831-128: 2012–03: Railway applications - Telecommunication technology, signaling technology and data processing systems - Software for railway control and monitoring systems; German version EN 50128: 2011. In September 2014 a correction was issued which the transition period of EN 50128; VDE 0831-128: 2012-03 set to the end of April 2017. In order to provide further assistance on some of the topics in this version of the standard, an additional sheet was published in July 2016. This covers the topics of SIL 0, tools, roles / independence, documents, methods and the streamlining of processes.

In Austria this standard is published as OEVE / OENORM EN 50128 and in Switzerland as SN EN 50128.

Principles of norm

The following principles are to be applied, among others:

Top-down design process
Modularity
Verification of every phase of the development life cycle
Verified SW components and SW component libraries
Clear documentation and traceability
Auditable documents
Validation
Appraisal
Configuration management and change management
Appropriate consideration of questions of organization and the competence of the staff

Content

Software security integrity level

The software development process according to EN 50128 begins with a security classification of the software which is taken from EN 50126-2. The standard distinguishes five software safety integrity level (SIL) from 0 to 4. The allocation to the steps carried out via the so-called tolerable hazard rate , short THR ( English tolerable hazard rate ).

THR [h ^-1 ]	SIL assignment
${\ displaystyle 10 ^ {- 5} <THR}$	0
${\ displaystyle 10 ^ {- 6} \ leq THR <10 ^ {- 5}}$	1
${\ displaystyle 10 ^ {- 7} \ leq THR <10 ^ {- 6}}$	2
${\ displaystyle 10 ^ {- 8} \ leq THR <10 ^ {- 7}}$	3
${\ displaystyle 10 ^ {- 9} \ leq THR <10 ^ {- 8}}$	4th

It should be noted that the lowest software safety integrity level in the latest draft of EN 50128, just like in EN 50126, is no longer referred to as SIL 0, but as basic integrity.

Software development process

EN 50128 prescribes the creation of a software requirements specification . The document must, among other things, be complete, unambiguous and testable. The software requirements specification has to be refined step by step to software architecture, then to software design and finally to software module design. The coding follows. Each step must be documented, the results of each step must be checked ( verification ).

The finished code must be tested step by step. First the software modules are tested individually, then the interaction of the individual software modules (software integration test), then the interaction between software and hardware (software-hardware integration test). In a final validation , the software on the target hardware must be checked against the software requirements specification. In the case of SIL> 0, the software must be assessed by an expert certified by a European safety authority.

One of the development processes described in EN 50128 is also known as a V-model . Like the letter "V", it consists of a descending branch (refining the specification up to coding) and an ascending branch, which consists of assembling, testing and validating the software.

Cross-process requirements

In addition to the requirements for the software development process, EN 50128 also contains specifications for the qualification of personnel, documentation, quality management and the procedure for changes to the software supplied (software maintenance, Chapter 16 of EN 50128).

Techniques and measures

EN 50128 recommends or demands: "An appropriate selection of tools, including design methods, languages and compilers, must be selected for the required software security requirement level over the entire life cycle of the software." Reduce the scope, liability and quality of these techniques and measures with increasing SIL.

For example, the standard recommends functional tests of the software for SIL 0. For SIL 1 and 2, additional test techniques such as B. Performance tests are recommended, for SIL 3 and 4, among other things, the use of a programming language with strong typing .

scope

The EN 50128 applies to all safety-relevant railway software. In Germany, the Federal Railway Authority (EBA) with its administrative regulation for the acceptance of railway vehicles in accordance with Section 32 (1) EBO in the area of responsibility of the Federal Railway Authority (VwV Abnahme Section 32) expressly applies EN 50128 for safety-relevant software on board the railway -Vehicles made binding (see Appendix 1, No. 13 of the VwV acceptance § 32). In cooperation with the Association of the Railway Industry in Germany (VDB) and Deutsche Bahn, the EBA has slightly modified the requirements of EN 50128, as far as the acceptance of vehicle software is concerned:

A distinction is only made between non-safety-relevant software (SIL = 0) and safety-relevant software (SIL> 0).
When changes are made to the software supplied, not only Chapter 16 of EN 50128, but its entire set of requirements must be observed.

Individual evidence

↑ Changes to EN 50128 - vde-verlag.de , January 10, 2020.

[1] Changes to EN 50128 - vde-verlag.de , January 10, 2020.