prEN 50716

SLOVENSKI STANDARD
oSIST prEN 50716:2022
01-april-2022
Standard za navzkrižno delujočo programsko opremo za železnice
Cross-functional Software Standard for Railways
Ta slovenski standard je istoveten z: prEN 50716
ICS:
35.080 Programska oprema Software
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
45.020 Železniška tehnika na Railway engineering in
splošno general
oSIST prEN 50716:2022 en

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

If this draft becomes a European Standard, CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which

stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CENELEC in three official versions (English, French, German).

A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,

Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the

Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without notice and

© 2022 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.

European foreword .................................................................................................................................. 4

Introduction.............................................................................................................................................. 5

1 Scope .......................................................................................................................................... 8

2 Normative references .................................................................................................................. 9

3 Terms, definitions and abbreviations .......................................................................................... 9

3.1 Terms and definitions .................................................................................................................. 9

3.2 Abbreviations............................................................................................................................. 14

4 Objectives, conformance and software integrity levels ............................................................. 15

5 Software management and organization .................................................................................. 16

5.1 Organization and independence of roles .................................................................................. 16

5.2 Personnel competence and responsibilities .............................................................................. 18

5.3 Lifecycle issues and documentation ......................................................................................... 19

6 Software assurance .................................................................................................................. 20

6.1 Software testing ........................................................................................................................ 20

6.2 Software verification .................................................................................................................. 21

6.3 Software validation .................................................................................................................... 23

6.4 Software assessment ................................................................................................................ 24

6.5 Software quality assurance ....................................................................................................... 26

6.6 Modification and change control ............................................................................................... 28

6.7 Support tools and languages .................................................................................................... 29

7 Software development .............................................................................................................. 33

7.1 Lifecycle and documentation for software ................................................................................. 33

7.2 Software requirements .............................................................................................................. 33

7.3 Architecture and Design ............................................................................................................ 36

7.4 Component design .................................................................................................................... 43

7.5 Component implementation and testing ................................................................................... 45

7.6 Integration ................................................................................................................................. 46

7.7 Overall software testing / Final validation ................................................................................. 48

8 Development of application data: systems configured by application data .............................. 50

8.1 Objectives .................................................................................................................................. 50

8.2 Input documents ........................................................................................................................ 51

8.3 Output documents ..................................................................................................................... 51

8.4 Requirements ............................................................................................................................ 51

9 Software deployment and maintenance .................................................................................... 55

9.1 Software deployment ................................................................................................................ 55

9.2 Software maintenance .............................................................................................................. 57

Annex A (normative) Criteria for the selection of techniques and measures ....................................... 60

Annex B (normative) Key software roles and responsibilities .............................................................. 72

Annex C (informative) Guidance on Software Development ............................................................... 78

Annex D (informative) Bibliography of techniques ............................................................................... 89

Annex ZZ (informative) Relationship between this European Standard and the Essential

Requirements of EU Directive (EU) 2016/797 aimed to be covered .................................................. 125

Bibliography ........................................................................................................................................ 127

This document (prEN 50716:2022) has been prepared by CLC/TC 9X “Electrical and electronic

prEN 50716:2022 includes the following significant technical changes with respect to

— [Will be completed within FprEN - see also guidance on changes provided with prEN]

This document is read in conjunction with EN 50126-1 “Railway applications – The specification and

demonstration of Reliability, Availability, Maintainability and Safety (RAMS): Basic requirements and

generic process” [1] and EN 50126-2 “Railway applications – The specification and demonstration of

Reliability, Availability, Maintainability and Safety (RAMS): Systems Approach to Safety” [2].

This document has been prepared under a Standardization Request given to CENELEC by the

European Commission and the European Free Trade Association, and supports essential

For relationship with EU Directive(s) / Regulation(s), see informative Annex ZZ, which is an integral

This document concentrates on the methods which need to be used in order to provide software

which meets the demands for software integrity which are placed upon it by these wider

This document provides a set of requirements for the development, deployment and maintenance of

any software intended for railway applications. It defines requirements concerning organizational

structure, the relationship between organizations and division of responsibility involved in the

development, deployment and maintenance activities. Criteria for the qualification and expertise of

The key concept of this document is that of levels of software integrity. This document addresses five

software integrity levels where basic integrity is the lowest and 4 the highest one. The higher the risk

resulting from software failure, the higher the software integrity level will be.

NOTE 1 The concept of basic integrity used in this document was first introduced in the EN 50126 series ([1]

This document has identified techniques and measures for the five levels of software integrity. The

required techniques and measures for basic integrity and for the safety integrity levels 1-4 are shown

in the normative tables of Annex A. The required techniques for level 1 are the same as for level 2,

and the required techniques for level 3 are the same as for level 4. This document does not give

guidance on which level of software integrity is appropriate for a given risk. This decision will depend

upon many factors including the nature of the application, the extent to which other systems carry out

It is within the scope of EN 50126-1 and EN 50126-2 to define the process of specifying the safety-

a) identify hazards, assessing risks and arriving at decisions based on risk criteria,

c) define the overall system safety requirements for the safeguards necessary to achieve the

e) plan, monitor and control the technical and managerial activities necessary to translate the

system safety requirements into a safety-related system of a validated safety integrity level.

As decomposition of the specification into a design comprising safety-related systems and

components takes place, further allocation of safety integrity levels is performed. Ultimately this leads

The current state-of-the-art is such that neither the application of quality assurance methods (so-

called fault avoiding measures and fault detecting measures) nor the application of software fault

tolerant approaches can guarantee the absolute safety of the software. There is no known way to

prove the absence of faults in reasonably complex safety-related software, especially the absence of

The principles applied in developing high integrity software include, but are not restricted to

At the system level, the allocation of system requirements to software functions takes place. This

includes the definition of the required software integrity level for the functions. The successive

functional steps in the application of this document are shown in Figure 1 and are as follows:

a) define the Software Requirements Specification and in parallel consider the software

architecture. The software architecture is where the safety strategy is developed for the software

b) design, develop and test the software according to the Software Quality Assurance Plan,

A number of activities run across the software development. These include testing (6.1), verification

(6.2), validation (6.3), assessment (6.4), quality assurance (6.5) and modification and change control

Requirements are given for support tools (6.7) and for systems which are configured by application

Requirements are also given for the independence of roles and the competence of staff involved in

This document does not mandate the use of a particular software development lifecycle. However,

Tables have been formulated ranking various techniques/measures against the software integrity

levels 1-4 and for basic integrity. The tables are in Annex A. Cross-referenced to the tables is a

bibliography giving a brief description of each technique/measure with references to further sources of

This document does not specify the requirements for the development, implementation, maintenance

and/or operation of security policies or security services needed to meet security requirements that

may be needed by the safety-related system. IT security can affect not only the operation but also the

functional safety of a system. For IT security, appropriate IT security standards should be applied.

NOTE 2 IEC/ISO standards (or series of standards) that address IT security in depth are [3], [4] and [5].

It may be necessary to balance between measures against systematic errors and measures against

security threats. An example is the need for fast security updates of software arising from security

threats, whereas if such software is safety related, it should be thoroughly developed, tested,

1.1 This document specifies the process and technical requirements for the development of software

for programmable electronic systems for use in control, command for signalling applications and any

This document is not intended to be applied in the area of electric traction power supply (fixed

installation) or for power supply and control of conventional applications, e.g. station power supply for

offices, shops etc. These applications are typically covered by standards for energy distribution and/or

For railway related fixed installations (electric traction power control and supply) EN 50562 is

1.2 This document is applicable exclusively to software and the interaction between software and the

1.4 This document applies to software as per subclause 1.1 of this document used in railway systems,

Application programming comprises high level programming, low level programming and special

1.5 This document also addresses the use of pre-existing software (as defined in 3.1.16) and tools.

Such software can be used if the specific requirements in 7.3.4.7 and 6.5.4.16 on pre-existing

1.6 Software developed according to any version of EN 50128 or EN 50657 will be considered as

NOTE This document is the successor of EN 50128 and EN 50657. Subclause 1.6 ensures continuity in the

application of these standards, i.e. software that was developed in accordance with the previous SW standards

1.7 This document considers that modern application design often makes use of software that is

suitable as a basis for various applications. Such software is then configured by application data for

1.9 This document is not intended to be retrospective. It therefore applies primarily to new

developments and only applies in its entirety to existing systems if these are subjected to major

modifications. For minor changes, only 9.2 applies. However, application of this document during

1.10 For the development of User Programmable Integrated Circuits (e.g. field programmable gate

arrays (FPGA) and complex programmable logic devices (CPLD)) guidance is provided in

EN 50129:2018 Annex F for safety related functions and in EN 50155:2017 for non-safety related

functions. Software running on soft-cores of User Programmable Integrated Circuits is within the

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments)

EN ISO 9000, Quality management systems — Fundamentals and vocabulary (ISO 9000:2015)

ISO/IEC/IEEE 90003:2018, Software engineering — Guidelines for the application of ISO 9001:2015

process of analysis to determine whether software, which may include process, documentation,

system, subsystem hardware and/or software components, meets the specified requirements and to

Note 1 to entry: Safety assessment is focused on but not limited to the safety properties of a system.

entity that carries out an assessment and, by extension, the role carried out by this entity

Note 1 to entry: This definition is based on EN 50126-1:2017 [1] but in this document, independence of the

Note 2 to entry: This is a software specific role and should not be confused with different types of assessors

software defined by market-driven need, commercially available and whose fitness for purpose has

constituent part of software which has well-defined interfaces and behaviour with respect to the

— it is clearly identified and has an independent version inside the configuration management system or is a

part of a collection of components (e.g. subsystems) which have an independent version.

entity that is responsible for implementing and carrying out the processes for the configuration

entity that analyses and transforms specified requirements into acceptable design solutions and, by

defect, mistake or inaccuracy in the development process which could result in a

Note 1 to entry: Definition is derived from EN 50126-1 3.20 [1] and adapted for software.

Note 1 to entry: “Failure” is an event, as distinguished from “fault”, which is a state.

[SOURCE: IEC 60050-821:2017, 821-11-19, modified – The notes 1 and 2 have been omitted. A new

[SOURCE: IEC 60050-821:2017, 821-11-20, modified – The note 1 to entry has been modified.]

software stored in read-only memory or in semi-permanent storage such as flash memory, in a way

software which can be used for a variety of installations purely by the provision of application-specific

entity that transforms specified designs into their realization and, by extension, the role

process of assembling software items or software with hardware items, according to the

capability of the software to be modified; to correct faults, improve performance or other

Note 1 to entry: This includes commercial off-the-shelf software, open-source software and software previously

[SOURCE: EN 50126-1:2017 [1], 3.43, modified – The end of the definition has been moved to the

solid-state control system which has a user programmable memory for storage of instructions to

entity that carries out requirements management and, by extension, the role carried out by this entity

process of eliciting, documenting, analysing, prioritizing and agreeing on requirements and then

combination of expected frequency of loss and the expected degree of severity

body responsible for delivering the authorization for the operation of the safety-related system

one of a number of defined discrete levels for specifying the safety integrity requirements for safety-

Note 1 to entry: Safety Integrity Level with the highest figure has the highest level of safety integrity.

Note 2 to entry: It is not possible to allocate a Safety Integrity Level to safety-related processes or other

Note 1 to entry: Software is called safety-related if at least one of its properties is used in the safety argument

for the system in which it is applied. These properties can be of functional or non-functional nature.

[SOURCE: IEC 60050-821:2017, 821-12-60, modified – “safety functions” has been replaced with

programs, procedures, rules, documentation and data of an information processing system

EXAMPLE Requirements and design specifications; source code listings, check lists and comments; “Help”

text and messages for display at the computer/human interface; instructions for installation and operation; and

Note 1 to entry: Software is an intellectual creation that is independent of the medium upon which it is recorded.

Note 2 to entry: Software requires hardware devices to execute programs, and to store and transmit data.

Note 3 to entry: Types of software include firmware, system software, and application software.

complete and consistent set of source code, executable files, configuration files, installation scripts

Note 1 to entry: Information about compilers, operating systems, pre-existing software and dependent tools is

stored as part of the software baseline. This will enable the organization to reproduce defined versions and be

the input for future releases at enhancements or at upgrade in the maintenance phase.

classification which determines the techniques and measures that have to be applied to software

Note 1 to entry: This includes basic integrity and the safety integrity levels 1 to 4.

those activities occurring during a period of time that starts when software is conceived and ends

modification for the purposes of software fault removal, adaptation to a new environment, or