The EN 50128 Functional Safety standard describes together with the EN 50126 and EN 50129 the functional safety in the railway industry. These standards implement the IEC61508 for this industry.
The peculiarity of the rail industry with regard to functional safety is that the systems are to be certified by an governmental authority (in Germany the federal railway authority), before they are allowed to be placed into a railway system. So, the manufacturer must provide proof of compliance with the functional safety standards already during the development of the product. In this point the aviation and rail industry are very similar.
In most other industries, there are (so far) no governmental authorities (e.g. automotive industry). The manufacturer must ensure himself the compliance with standards and only when the product liability law is applied, then the corresponding evidence must be provided.
In this blog I’m focusing on the functional safety in the railway industry. The following picture gives an overview about the contents of the three standards:
The EN 50128 defines the requirements for software to be installed in electronic railway applications. As software development process, the standard requires the V model. This is, in the first glance, very similar to other functional safety standards. However, the EN50128 focuses strongly on the definition of individual roles in the development process and the competencies that are need by the employees. Sure, this has the advantage that the project is forced to make clear thoughts, which team members are suitable to perform EN 50128 Functional Safety projects. A disadvantage is that it gets very difficult to apply new procedures or methods, such as for e.g. agile methods. This balance is managed in other standards in a better manner.
Competence and roles of team members
The following graphic gives an overview of the required roles and the demanded independence. In a SIL 3 SIL 4 project the validation must be carried out independent of the project manager. Within a SIL 1, software integrator and tester are allowed to be the same person.
In other areas of the standard, there are far more similarities with other functional safety standards. Of course also in these areas there are noticeable differences. However the strict definition of roles plays the most important role, if one manufactures products for multiple industries such as suppliers. For him it is essential to avoid the implementation of two different development processes. In case a supplier wants to develop the software product according to EN50128 and ISO26262, there will be a significant effort to be spent to develop a strategy to avoid a duplication of the development process and still be compliant to EN50128.
Aspects for which detailed measures and techniques are required
At the end of this article, I want to give a view on the aspects for which detailed measures and techniques are required, depending on the SIL level to be met:
Software requirement specification (Chapter 7.2)
Software architecture (Chapter 7.3)
Software design and implementation (Chapter 7.4)
Verification and Test (Chapter 6.2 and 7.3)
Integration (Chapter 7.6)
Test of the complete software (Chapter 6.2 and 7.7)
Software analysis techniques (Chapter 6.3)
Software quality assurance (Chapter 6.5)
Software maintainability (Chapter 9.2)
Data generation (Chapter 8.4)
Overall, the EN50128 provides the same requirements for safety-critical software and the development process as other functional safety standards.
There is a greater difference in the definition of the roles and competencies of team members.
However, the biggest difference from other industries arises from the fact that software and the corresponding embedded systems must be certified by a government agency. Only the aerospace industry has similar constraints in this area.
I’ll be glad to help you also with any specific questions about your project . Send an email to: martin.heininger [at] heicon-ulm.de
An overview of the services can also be found on the HEICON Homepage.