EN 50716 is the unified European Standard for software development in railway applications. It harmonizes and replaces the previous standards EN 50128 (Signalling) and EN 50657 (Rolling Stock) into one cross-functional document.

Does EN 50716 replace EN 50128?

Yes, EN 50716 merges the requirements of EN 50128 and EN 50657, serving as the new reference standard for both trackside and on-board software development.

What are the SIL requirements in EN 50716?

EN 50716 defines rigor based on Safety Integrity Levels (SIL 0 to SIL 4). Higher SIL levels require deeper code coverage analysis (like MC/DC) and a higher degree of independence (Third-Party Assessor) for validation.

EN 50716: Unified Software Standard for Railway Systems (Replacing EN 50128 & EN 50657)

EN 50716 is the new unified standard for railway software, replacing EN 50128 and EN 50657. It provides a cross-functional framework for the development, testing, and validation of safety-related software (Signalling & Rolling Stock), enforcing the V-Model lifecycle and strict Independence criteria based on Safety Integrity Levels (SIL 0 – SIL 4).

January 19, 2024 3:43 pm

EN 50716 represents a paradigm shift in railway software engineering. Historically, the industry relied on separate standards for trackside signalling (EN 50128) and rolling stock (EN 50657). EN 50716 unifies these requirements into a single, Cross-Functional Standard valid for all railway software development.

This harmonization eliminates ambiguity for system integrators and suppliers, establishing a common rigorous methodology for the Software Development Lifecycle (V-Model), regardless of whether the code runs on a locomotive or an interlocking computer.

1. Scope: From Code to Certification

EN 50716 applies to all safety-related software used in railway control and protection systems. It dictates the process for:

Software Requirements Specification (SRS): Defining exactly what the software must (and must not) do.
Architecture & Design: Modular structure to prevent “Spaghetti Code.”
Verification & Validation (V&V): Ensuring the code meets the requirements and is free of critical bugs.
Maintenance: safely patching software without compromising existing safety functions.

2. Safety Integrity Levels (SIL) & Rigor

The standard categorizes software based on the risk it poses. A higher Safety Integrity Level (SIL) demands more rigorous testing and greater independence during validation. The following table illustrates the escalation of rigor:

SIL Level	Risk Context	Testing Requirement	Assessor Independence
SIL 0	Non-Safety Related	Functional Testing	Self-Assessment allowed.
SIL 1 / SIL 2	Low/Medium Risk	Structural Coverage (Branch)	Independent Person (within the same organization).
SIL 3 / SIL 4	High/Critical Risk (Life Threatening)	MC/DC Coverage + Formal Methods	Independent Organization (Third Party) required.

3. The V-Model Methodology

EN 50716 mandates the “V-Model” lifecycle. Every step on the descending branch (Design) must have a corresponding verification step on the ascending branch (Testing):

System Requirements ↔ System Validation
Software Architecture ↔ Software Integration Test
Component Design ↔ Module/Unit Testing

This traceability ensures that no line of code exists without a requirement, and no requirement exists without a test case.

4. Managing COTS (Commercial Off-The-Shelf)

Modern trains use standard operating systems (like Linux or Windows) for non-critical functions. EN 50716 provides strict guidelines for integrating COTS software. You cannot simply install standard software in a SIL 4 environment; it must be encapsulated or proven “proven in use” to ensure it does not compromise the safety loop.

COMMENTS

[ Cancel replying ]

This site uses Akismet to reduce spam. Learn how your comment data is processed.

No comments yet, be the first filling the form below.