Code Critical: The Ultimate Guide to EN 50128 Railway Software Safety

Master EN 50128: The gold standard for railway software safety. Understand the V-Model, SIL 0-4 requirements, and strict validation protocols for control systems.

Code Critical: The Ultimate Guide to EN 50128 Railway Software Safety
January 7, 2024 10:16 pm
A+
A-

What is EN 50128?

EN 50128 is the CENELEC European Standard formally titled “Railway applications – Communication, signalling and processing systems – Software for railway control and protection systems.” It serves as the definitive rulebook for developing, testing, and validating software used in railway safety-critical applications.

Unlike general software development (where bugs might just cause a crash), railway software errors can lead to accidents. EN 50128 dictates a rigorous Software Development Lifecycle (SDLC) to ensure that the code running in Interlockings, ATC (Automatic Train Control), and TCMS (Train Control and Management Systems) performs exactly as intended, with zero tolerance for dangerous failures.

The V-Model Lifecycle

The backbone of EN 50128 is the V-Model. This approach maps every stage of software design to a corresponding testing phase:

  • Left Side (Design): Starts with System Requirements, moves down to Software Architecture, and finally to Module Design/Coding.
  • Bottom (Implementation): The actual writing of the source code.
  • Right Side (Verification): Corresponds to the left side in reverse order: Module Testing, Integration Testing, and finally Software Validation.

Safety Integrity Levels (SIL) in Software

Not all code is created equal. EN 50128 classifies software based on the Safety Integrity Level (SIL) required by the system, ranging from SIL 0 (non-safety related) to SIL 4 (critical safety).

The higher the SIL, the stricter the rules. For a SIL 4 system (like an Emergency Brake controller), the standard forbids certain “risky” programming techniques (like dynamic memory allocation or pointers) and mandates Formal Methods for mathematical proof of correctness.

Roles and Independence

To prevent bias, EN 50128 mandates organizational independence. The person who writes the code (Designer) cannot be the same person who checks it (Verifier). For high SIL levels, the Validator must belong to a completely different department or organization to ensure objective scrutiny.

Comparison: Standard Software vs. EN 50128 Compliant Software

The difference between commercial software and railway safety software lies in the “Evidence of Safety.”

<

AspectStandard IT Software (Commercial)EN 50128 Safety Software (Rail)
Primary GoalFeatures, Speed, Time-to-Market.Safety, Determinism, Reliability.
Coding StyleFlexible, use of complex libraries.Restricted (MISRA C/C++), no “dead code,” simple structures.
COMMENTS

This site uses Akismet to reduce spam. Learn how your comment data is processed.

No comments yet, be the first filling the form below.