Railway applications - The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS) - Part 5: Functional Safety - Software

Will supersede EN 50128:2011 * Full revision and re-organization of EN 50126 series needed to get a full set of standards covering the whole railway system * In hands of WG 14 * To be offered to IEC to revise IEC 62278 * D138/C125: Extension of the target date for vote approved to read 2013-03-31 * 2012-06-29 - Enquiry editing allocated to aclausse@cencenelec.eu

Bahnanwendungen - Spezifikation und Nachweis von Zuverlässigkeit, Verfügbarkeit, Instandhaltbarkeit und Sicherheit (RAMS) -- Teil 5: Funktionale Sicherheit - Software

Applications ferroviaires - Spécification et démonstration de la fiabilité, de la disponibilité, de la maintenabilité et de la sécurité (FDMS) - Partie 5: Sécurité fonctionnelle - Logiciel

Železniške naprave - Specifikacija in prikaz zanesljivosti, razpoložljivosti, vzdrževalnosti in varnosti (RAMS) - 5. del: Funkcinalna varnost - Programska oprema

General Information

Status
Not Published
Public Enquiry End Date
30-Mar-2013
Current Stage
98 - Abandoned project (Adopted Project)
Start Date
13-Aug-2018
Due Date
18-Aug-2018
Completion Date
13-Aug-2018

Relations

Buy Standard

Draft
prEN 50126-5:2013
English language
136 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
oSIST prEN 50126-5:2013
01-januar-2013
Železniške naprave - Specifikacija in prikaz zanesljivosti, razpoložljivosti,
vzdrževalnosti in varnosti (RAMS) - 5. del: Funkcinalna varnost - Programska
oprema
Railway applications - The Specification and Demonstration of Reliability, Availability,
Maintainability and Safety (RAMS) - Part 5: Functional Safety - Software
Bahnanwendungen - Spezifikation und Nachweis von Zuverlässigkeit, Verfügbarkeit,
Instandhaltbarkeit und Sicherheit (RAMS) -- Teil 5: Funktionale Sicherheit - Software
Applications ferroviaires - Spécification et démonstration de la fiabilité, de la disponibilité,
de la maintenabilité et de la sécurité (FDMS) - Partie 5: Sécurité fonctionnelle - Logiciel
Ta slovenski standard je istoveten z: prEN 50126-5:2012
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
transportu in trgovini and trade
45.020 Železniška tehnika na Railway engineering in
splošno general
oSIST prEN 50126-5:2013 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN 50126-5:2013

---------------------- Page: 2 ----------------------
oSIST prEN 50126-5:2013
 DRAFT
EUROPEAN STANDARD
prEN 50126-5

NORME EUROPÉENNE
October 2012
EUROPÄISCHE NORM

ICS 29.280; 45.020 Will supersede EN 50128:2011


English version


Railway applications -
The Specification and Demonstration of Reliability, Availability,
Maintainability and Safety (RAMS) -
Part 5: Functional Safety -
Software



Applications ferroviaires -  Bahnanwendungen -
Spécification et démonstration de la fiabilité, Spezifikation und Nachweis von
de la disponibilité, de la maintenabilité et de la Zuverlässigkeit, Verfügbarkeit,
sécurité (FDMS) - Instandhaltbarkeit und Sicherheit (RAMS) -
Partie 5: Sécurité fonctionnelle - Teil 5: Funktionale Sicherheit -
Logiciel Software



This draft European Standard is submitted to CENELEC members for CENELEC enquiry.
Deadline for CENELEC: 2013-03-29.

It has been drawn up by CLC/TC 9X.

If this draft becomes a European Standard, CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.

This draft European Standard was established by CENELEC in three official versions (English, French, German). A version in
any other language made by translation under the responsibility of a CENELEC member into its own language and notified to
the CEN-CENELEC Management Centre has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech
Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,
Spain, Sweden, Switzerland, Turkey and the United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.


CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Management Centre: Avenue Marnix 17, B - 1000 Brussels


© 2012 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Project: 21755 Ref. No. prEN 50126-5:2012 E

---------------------- Page: 3 ----------------------
oSIST prEN 50126-5:2013
prEN 50126-5:2012 - 2 -
13001 Contents Page
13002 Foreword . 4
13003 Introduction . 6
13004 1 Scope . 9
13005 2 Normative references . 10
13006 3 Terms and definitions . 11
13007 4 Abbreviations. 11
13008 5 Overall framework of EN 50126-5 . 12
13009 6 Software Management and Organisation . 13
13010 6.1 Organisation, Roles and Responsibilities . 13
13011 6.2 Personnel Competence . 16
13012 6.3 Lifecycle Issues and Documentation . 17
13013 7 Software assurance . 21
13014 7.1 Analysis . 21
13015 7.2 Software testing . 23
13016 7.3 Software Verification . 24
13017  Software Validation . 27
7.4
13018 7.5 Independent Software Assessment . 29
13019 7.6 Software Quality Assurance . 31
13020 7.7 Safety Management . 33
13021 7.8 Configuration Management and Modification Control . 35
13022 7.9 Support Tools and Languages. 36
13023 8 Generic Software Development . 39
13024 8.1 Lifecycle and Documentation for Generic Software . 39
13025 8.2 Software Requirements . 39
13026 8.3 Architecture and Design . 41
13027 8.4 Component Design . 46
13028 8.5 Component Implementation and Testing . 48
13029 8.6 Integration . 49
13030 8.7 Final Validation and Independent Assessment . 51
13031 9 Development of Application Data or Algorithms: systems configured by application data
13032 or algorithms. 58
13033 9.1 Objectives . 58
13034 9.2 Input . 58
13035 9.3 Deliverables . 58
13036 9.4 Requirements . 59
13037 10 Software Deployment and Maintenance . 63
13038 10.1 Software Deployment . 63
13039 10.2 Software Maintenance . 65
13040 Annex A (normative) Criteria for the Selection of Techniques and Measures . 68
13041 Annex B (normative) Key Software Roles and Responsibilities . 82
13042 Annex C (informative) Documents Control Summary . 90
13043 Annex D (informative) Multi-core and Multi-threaded Programming . 92
13044 Annex E (informative) Structure of Software Safety Case . 94
13045 Annex F (informative) Bibliography of Techniques . 103
13046 Bibliography . 136

---------------------- Page: 4 ----------------------
oSIST prEN 50126-5:2013
- 3 - prEN 50126-5:2012
13047 Figures
13048 Figure 1 – Illustrative Software Route Map . 8
13049 Figure 2 – Illustration of the preferred organisational structure . 14
13050 Figure 3 – Illustrative Development Lifecycle 1 . 19
13051 Figure 4 – Illustrative Development Lifecycle 2 . 20
13052 Figure E.1 – Structure of Safety Case . 95
13053 Figure E.2 – Structure of Technical Safety Report . 96
13054 Tables
13055 Table 1 – Relation between tool class and applicable paragraphs of 7.9.4.14 . 38
13056 Table A.1 – Lifecycle Issues and Documentation (6.3) . 69
13057 Table A.2 – Software Requirements Specification (8.2) . 71
13058 Table A.3 – Software Architecture (8.3) . 72
13059 Table A.4 – Software Design and Implementation (8.4) . 73
13060 Table A.5 – Verification and Testing (6.2 and 7.3) . 74
13061 Table A.6 – Integration (7.6) . 74
13062 Table A.7 – Overall Software Testing (7.3 and 8.7) . 74
13063 Table A.8 – Software Analysis Techniques (7.4) . 75
13064 Table A.9 – Software Quality Assurance (7.6) . 75
13065 Table A.10 – Software Maintenance (10.2) . 75
13066 Table A.11 – Data Preparation Techniques (9.4) . 76
13067 Table A.12 – Coding Standards . 76
13068 Table A.13 – Dynamic Analysis and Testing . 77
13069 Table A.14 – Functional/Black Box Test . 77
13070 Table A.15 – Textual Programming Languages . 78
13071 Table A.16 – Diagrammatic Languages for Application Algorithms . 78
13072 Table A.17 – Modelling . 79
13073 Table A.18 – Performance Testing . 79
13074 Table A.19 – Static Analysis . 79
13075 Table A.20 – Components . 80
13076 Table A.21 – Test Coverage for Code . 80
13077 Table A.22 – Object Oriented Software Architecture . 81
13078 Table A.23 – Object Oriented Detailed Design . 81
13079 Table B.1 – Software Requirements Manager Role Specification . 82
13080 Table B.2 – Software Designer Role Specification . 83
13081 Table B.3 – Software Implementer Role Specification . 83
13082 Table B.4 – Software Tester Role Specification . 84
13083 Table B.5 – Software Verifier Role Specification . 84
13084 Table B.6 – Software Integrator Role Specification . 85
13085 Table B.7 – Software Validator Role Specification . 86
13086 Table B.8 – Software Assessor Role Specification . 87
13087 Table B.9 – Software Project Manager Role Specification . 88
13088 Table B.10 – Software Configuration Manager Role Specification . 88
13089 Table B.11 – Software Safety Manager Role Specification . 89
13090 Table C.1 – Documents Control Summary . 90
13091

---------------------- Page: 5 ----------------------
oSIST prEN 50126-5:2013
prEN 50126-5:2012 - 4 -
13092 Foreword
13093 This document [prEN 50126-5:2012] has been prepared by CLC/TC 9X "Electrical and electronic
13094 applications for railways".
13095 This document is currently submitted to the Enquiry.
13096 EN 50126 "Railway applications – The specification and demonstration of Reliability, Availability,
13097 Maintainability and Safety (RAMS)" consists of the following parts:
13098 – Part 1: Generic RAMS process;
13099 – Part 2: Systems approach to safety;
13100 – Part 4: Functional safety – Electrical/Electronic/Programmable electronic systems;
13101 – Part 5: Functional safety – Software.
13102 This new edition of EN 50126 (all parts) will supersede EN 50126-1:1999, CLC/TR 50126-2:2007,
13103 CLC/TR 50126-3:2008, EN 50128:2011 and EN 50129:2003.
13104 This part of EN 50126 will supersede EN 50128:2011.
13105 This document has been prepared under a mandate given to CENELEC by the European Commission
13106 and the European Free Trade Association, and supports essential requirements of EU Directive(s).
13107 This European Standard supports the European Railway Directive 2004/49/EC (Railway Safety Directive)
13108 and the Commission Regulation (EC) No 352/2009 of 24 April 2009 on the adoption of a common safety
13109 method on risk evaluation and independent assessment as referred to in Article 6(3)(a) of Directive
13110 2004/49/EC of the European Parliament and of the Council.

---------------------- Page: 6 ----------------------
oSIST prEN 50126-5:2013
- 5 - prEN 50126-5:2012
13111

---------------------- Page: 7 ----------------------
oSIST prEN 50126-5:2013
prEN 50126-5:2012 - 6 -
13112 Introduction
13113 EN 50126-1:1999 was produced to introduce the application of a systematic RAMS management process
13114 in the railway sector. For safety related electronic systems for signalling, EN 50128:2011 and
13115 EN 50129:2003 were produced. Through the application of these European Standards and the
13116 experiences gained over the recent years, the need for revision and restructuring became apparent with a
13117 need to deliver a systematic and coherent approach to RAMS applicable to all the railway application
13118 fields Signalling, Rolling Stock and Fixed Installations.
13119 The revision work improved the coherence and consistency of the European Standards, the concept of
13120 safety management and the practical usage of EN 50126 and took into consideration the existing and
13121 related Technical Reports as well.
13122 This European Standard provides railway duty holders and the railway suppliers, throughout the
13123 European Union, with a process which will enable the implementation of a consistent approach to the
13124 management of reliability, availability, maintainability and safety, denoted by the acronym RAMS.
13125 Processes for the specification and demonstration of RAMS requirements are cornerstones of this
13126 standard.
13127 EN 50126 is the railway sector specific application of IEC 61508. Meeting the requirements in
13128 this European Standard is sufficient to ensure that additional compliance to IEC 61508 does not
13129 need to be evaluated.
13130 With regard to safety EN 50126-1 provides a Safety Management Process which is supported by
13131 guidance and methods described in EN 50126-2.
13132 EN 50126-1 and EN 50126-2 are independent from the technology used. EN 50126-4 and EN 50126-5
13133 provide guidance specific to safety related E/E/EP technology of railway applications and their application
13134 depends on the outcome of the safety related methods described in EN 50126-2. As far as safety is
13135 concerned, EN 50126 takes the perspective of functional safety. This does not exclude other aspects of
13136 safety. However, these are not the focus.
13137 The aims set for revision of EN 50126 required a better understanding of the systems approach and
13138 improved methods for applying the safety management process described in EN 50126-1. EN 50126-2
13139 provides this guidance.
13140 The application of this European Standard shall be adapted to the specific requirements of the system
13141 under consideration.
13142 This European Standard can be applied systematically by the railway duty holders and railway suppliers,
13143 throughout all phases of the life cycle of a railway application, to develop railway specific RAMS
13144 requirements and to achieve compliance with these requirements. The systems-level approach
13145 developed by this European Standard facilitates independent assessment of the RAMS interactions
13146 between elements of railway applications even if they are of complex nature.
13147 This European Standard promotes co-operation between the stakeholders of Railways in the
13148 achievement of an optimal combination of RAMS and cost for railway applications. Adoption of this
13149 European Standard will support the principles of the European Single Market and facilitate European
13150 railway interoperability.
13151 The process defined by this European Standard assumes that railway duty holders and railway suppliers
13152 have business-level policies addressing Quality, Performance and Safety. The approach defined in this
13153 European Standard is consistent with the application of quality management requirements contained
13154 within the ISO 9000 series of International standards.
13155 With the term document this European Standard rather means technical contents and not necessarily
13156 single physical documents. Such technical contents can arbitrarily be combined to physical documents
13157 dependent on the needs of the specific project. Technical contents can also be omitted in the process-
13158 tailoring step which should take place in the early planning phase of a project. The omission of technical

---------------------- Page: 8 ----------------------
oSIST prEN 50126-5:2013
- 7 - prEN 50126-5:2012
13159 contents has however to be justified with technical arguments. The tailoring process is best documented
13160 in a Project Document List, declaring which documents with which technical contents are planned to be
13161 created, by whom and in which phase of the project. Omitted technical contents should be highlighted
13162 and the omission justified.
13163 The current state-of-the-art is such that neither the application of quality assurance methods (so-called
13164 fault avoiding measures and fault detecting measures) nor the application of software fault tolerant
13165 approaches can guarantee the absolute safety of the software. The proof of the absence of faults, in
13166 reasonably complex safety-related software, especially the absence of specification and design faults is
13167 currently a formidable if not unattainable task. Adopting a systematic principled process and employing
13168 competent resources constitute current best practice in software development. The principles applied in
13169 developing high integrity software include, but are not restricted to
13170 – top-down design methods,
13171 – modularity,
13172 – verification of each phase of the development lifecycle,
13173 – verified components and component libraries,
13174 – clear documentation and traceability,
13175 – auditable documents,
13176 – validation,
13177 – assessment,
13178 – configuration management and change control and
13179 – appropriate consideration of organisation and personnel competency issues.
13180 This European Standard does not mandate the use of a particular software development lifecycle.
13181 However, illustrative lifecycle and documentation sets are given in 6.3, Figure 3 and Figure 4 and in 8.1.

---------------------- Page: 9 ----------------------
oSIST prEN 50126-5:2013
prEN 50126-5:2012 - 8 -
Obtain System Requirements Specification,
System Safety Requirements Specification
System Architecture Description and System
Safety Plan for the system
Identify all the safety functions allocated to the
software
Review all safety functions allocated to the
software and determine the Software Safety
Integrity Level
Produce the Software Requirements
Specification and the Software Architecture
Specification
Design, develop and verify/test the software
according to the Software Quality Assurance
Plan, Software Safety Integrity Level and the
Software Lifecycle
Perform the Software Validation and hand
over to system integrator
Operational life of the system
Software Maintenance
13182
13183 Figure 1 – Illustrative Software Route Map

---------------------- Page: 10 ----------------------
oSIST prEN 50126-5:2013
- 9 - prEN 50126-5:2012
13184 1 Scope
13185 This part of EN 50126
13186 • is intended to apply to all safety-related software aimed at electronic railway systems/sub-system.
13187 The relevant methods are provided by EN 50126-2. If analysis reveals that no safety requirements
13188 exist (i.e. the situation is non-safety-related), and provided the conclusion is not revised as a
13189 consequence of later changes, this part of EN 50126 ceases to be applicable;
13190 • specifies the process and technical requirements for the development of software for programmable
13191 electronic systems for use in railway monitoring, control and protection applications. These systems
13192 can be implemented using dedicated microprocessors, programmable logic controllers,
13193 multiprocessor distributed systems, larger scale central processor systems or other architectures.
13194 • is applicable exclusively to software and the interaction between software and the system/sub-
13195 system of which it is part.
13196 This European Standard
13197 • is primarily applicable to software which have been specifically designed and developed for railway
13198 applications. It should also be applied, as far as reasonably practicable, to general-purpose or
13199 industrial software which is procured for use as part of a safety-related railway system. As a
13200 minimum, evidence shall be provided in such cases to demonstrate:
13201 - either that the software is not relied on for safety,
13202 - or that the software can be relied on for those functions which relate to safety;
13203 • applies
13204 - to the specification, architecture, design, development, implementation, integration, installation,
13205 acceptance, deployment, operation, maintenance and modification/extension phases of the
13206 software in a system /subsystem. It also applies to individual sub-systems within the overall
13207 system as determined by the process in EN 50126-1 and supported by the methods in
13208 EN 50126-2,
13209 - to generic sub-systems (both application-independent and those intended for a particular class of
13210 application), and also to systems/sub-systems for specific applications;
13211 • does not define
13212 - RAMS targets, quantities, requirements or solutions for specific railway applications
13213 - rules or processes pertaining to the certification of railway products against the requirements of
13214 this European Standard
13215 - an approval process by the safety authority;
13216 • does not specify requirements for ensuring system security.
13217 This part EN 50126 is applicable
13218 • to the specification and demonstration of safety for all software in railway applications and at all
13219 levels of such an application, as appropriate, from complete railway systems to major systems and to
13220 individual and combined sub-systems within these major systems; in particular:
13221 - to new systems;
13222 - to new systems integrated into existing systems in operation prior to the creation of this European
13223 Standard, although it is not generally applicable to other aspects of the existing system;
13224 - for modifications of existing software on systems in operation prior to the creation of this
13225 European Standard, although it is not generally applicable to other aspects of the existing system.

---------------------- Page: 11 ----------------------
oSIST prEN 50126-5:2013
prEN 50126-5:2012 - 10 -
13226 - at all relevant phases of the lifecycle of an application;
13227 - for use by railway duty holders, railway suppliers, assessors and safety authorities;
13228 • to all safety related software used in railway control and protection systems, including
13229 1. application programming,
13230 2. operating systems,
13231 3. support tools,
13232 4. firmware.
13233 Application programming comprises high level programming, low level programming and special purpose
13234 programming (for example: Programmable logic controller ladder logic).
13235 • not relevant for software that has been identified as having no
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.