What is a Safety Case in the context of EN 50129?

A Safety Case, as required by EN 50129, is a structured and logical argument, supported by a body of evidence, which provides a convincing case that a system is safe for a specific application in a specific environment. It is the main deliverable used to gain safety approval from regulatory authorities.

How does EN 50129 relate to EN 50128?

EN 50129 and EN 50128 are complementary standards. EN 50129 covers the overall safety of the electronic system, including hardware and the integration of software. EN 50128 provides the detailed, specific requirements and processes for developing the safety-related software that will run on the hardware system governed by EN 50129. In short, EN 50128 is for the software, and EN 50129 is for the approval of the complete system.

What are Safety Integrity Levels (SILs)?

Safety Integrity Levels (SILs) are a measure of the required level of risk reduction for a safety function. In EN 50129, they range from SIL 1 (lowest integrity) to SIL 4 (highest integrity). The required SIL is determined by a risk assessment and dictates the rigor of the design, development, and validation processes required to achieve the necessary level of safety.

Europe’s EN 50129: The Cornerstone of Rail Safety

Q: What is EN 50129?

EN 50129 is a European standard for railway applications that specifies the process and requirements for developing, assessing, and approving safety-related electronic systems for signalling. Its primary goal is to provide a framework for demonstrating that a system is acceptably safe for its intended purpose throughout its lifecycle.

EN 50129 is the cornerstone for railway signalling safety. Learn its principles, safety lifecycle, SILs, and the critical Safety Case for system approval.

Europe’s EN 50129: The Cornerstone of Rail Safety

December 15, 2024 2:02 am

Understanding EN 50129: The Cornerstone of Railway Signalling Safety

EN 50129, titled “Railway applications – Communication, signalling and processing systems – Safety related electronic systems for signalling,” is a fundamental European standard that specifies the processes, requirements, and evidence necessary for the development of safety-related electronic systems used in railway signalling applications. It forms a critical part of the CENELEC EN 5012x series, providing a framework to ensure that systems responsible for train movement and safety perform their functions with the highest degree of integrity.

The standard is not a product standard; rather, it is a process-oriented standard. It does not dictate what a system must do, but rather how to develop, validate, and approve a system to demonstrate that it is acceptably safe for its intended application throughout its entire lifecycle, from concept to decommissioning.

Core Principles of EN 50129

The methodology of EN 50129 is built upon several key principles that guide the entire development and approval process. These principles ensure a structured, auditable, and rigorous approach to achieving functional safety.

The Safety Lifecycle

EN 50129 mandates a comprehensive safety lifecycle for any safety-related system. This lifecycle covers all phases, ensuring that safety is considered at every stage, not just as a final test. Key phases include:

Concept and System Definition
Hazard Analysis and Risk Assessment
System Requirements Specification
Architecture and Design
Implementation (Hardware and Software)
Integration and Testing
System Validation
Safety Assessment and Approval
Operation and Maintenance
Modification and Decommissioning

Safety Integrity Levels (SILs)

A central concept in EN 50129 is the Safety Integrity Level (SIL). A SIL is a relative level of risk-reduction provided by a safety function. The standard defines a range from SIL 1 (lowest integrity) to SIL 4 (highest integrity). The required SIL for a system or function is determined through a thorough risk assessment process, which considers the potential severity and frequency of hazards the system is designed to mitigate.

The Safety Case

The ultimate output required by EN 50129 is the Safety Case. A Safety Case is a structured and compelling argument, supported by a body of evidence, that a system is acceptably safe for a given application in a given environment. It is a living document that must be maintained throughout the system’s lifecycle. It demonstrates to regulatory bodies and railway authorities that all required safety activities have been performed correctly and that all identified hazards have been adequately controlled.

Roles and Responsibilities

The standard clearly defines independent roles within a project to prevent conflicts of interest and ensure objectivity. Key roles include the Designer, the Verifier, the Validator, and, crucially, the independent Safety Assessor. The Assessor’s role is to perform an independent judgement on the adequacy of the system’s safety and the quality of the Safety Case.

Relationship with Other CENELEC Standards

EN 50129 does not exist in isolation. It is part of a trio of key CENELEC standards for railway safety, each with a distinct but interconnected focus. Understanding their relationship is vital for any railway engineering project.

Standard	Primary Focus	Key Concepts	Main Output
EN 50126 (RAMS)	The overall process for Reliability, Availability, Maintainability, and Safety (RAMS). It sets the framework for the entire system lifecycle at the highest level.	RAMS Management, Hazard Identification (HAZID), Risk Assessment, Lifecycle Cost.	RAMS Plan, Hazard Log, System Requirements Specification.
EN 50128 (Software)	Specific processes and techniques for the development of safety-related software for railway control and protection systems.	Software Safety Integrity Levels (SSIL), V-Model, Software architecture, Coding standards, Static analysis, Dynamic testing.	Validated and verified software components, Software Safety Case evidence.
EN 50129 (Systems)	The overall safety approval process for safety-related electronic systems (hardware and its integration with software). It focuses on the evidence required for system approval.	System Safety Lifecycle, Safety Integrity Levels (SIL), Fault tolerance, Fail-safe principles, Hardware design techniques.	A complete and approved Safety Case for the system.

Key Technical Aspects and Lifecycle Phases in EN 50129

EN 50129 details specific technical requirements and activities that must be performed throughout the system’s development.

System Requirements and Design

This phase begins with capturing the safety requirements derived from the hazard analysis performed under EN 50126. The standard requires that the system architecture be designed to be robust against credible failures. Techniques such as redundancy (e.g., 2-out-of-2 or 2-out-of-3 architectures), diversity (using different technologies to perform the same function), and inherent fail-safe principles are fundamental design considerations driven by the SIL requirement.

Hardware Development and Manufacturing

For hardware, EN 50129 demands rigorous processes to control both systematic (design) failures and random (physical) failures. This includes:

Failure Mode and Effects Analysis (FMEA/FMECA): A systematic method to identify potential failure modes of hardware components and their effects on the system.
Component Selection: Choosing components with known reliability and suitable for the harsh railway environment.
Manufacturing Quality Control: Ensuring that the manufactured system is identical to the proven design.

Integration, Testing, and Validation

The standard places heavy emphasis on verification and validation (V&V). Verification confirms that the system was built correctly according to its design specifications (“Are we building the product right?”). Validation confirms that the system meets the user’s needs and safety requirements (“Are we building the right product?”). Validation must be performed by a team independent of the design team to ensure objectivity.

The Importance of the Safety Case

The Safety Case is the culmination of all work performed under EN 50129. It is not merely a collection of documents but a coherent argument. It typically includes:

Definition of the System: A clear description of the system, its boundaries, and its functions.
Quality Management Report: Evidence that the project was managed under a suitable quality management system.
Safety Management Report: Evidence that all safety activities in the safety plan were correctly executed.
Technical Safety Report: The core technical evidence, including hazard analyses, FMEAs, test reports, and calculations demonstrating that safety targets have been met.
Related Safety Cases: References to safety cases for pre-existing or COTS (Commercial Off-The-Shelf) components used in the system.
Conclusion: A clear statement summarizing the safety argument and any constraints on the system’s use.

The approval of the Safety Case by a safety authority or railway operator is the final step that permits a system to be placed into operational service.