EN 50128 "Railway applications - Communication, signalling and processing systems" / IEC 62279
Note: the EN 50128 standard has been replaced by the standard EN 50657.
The European standard EN 50128 "Railway applications - Communication, signalling and processing systems - Software for railway control and protection systems" specifies procedures and technical requirements for the development of programmable electronic systems which are used in railway control and protection applications.
The international version of this standard is IEC 62279. It is identical to EN 50128.
During software testing a report needs to be established which contains among others information about test coverage and test the completeness (point 6.1.4.5).
According to the software development process, tools for verification and validation (like tools for static analysis and test coverage) need to be choosen.
The software must be analysable, testable, verifiable and maintainable (point 7.5.1.1). The size and complexity of the developed source code needs to be well-balanced (point 7.5.4.2).
Among other things, it is mandatory to prepare a software component test report with an evaluation of the test coverage for each component.
Required test coverage for code
Depending on Security Integration Level (SIL) the standard EN 50128 requires the following test coverage levels (R stands for "recommended", HR stands for "highly recommended"):| SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | |
| 1. Statement Coverage | R | HR | HR | HR | HR |
| 2. Branch Coverage | - | R | R | HR | HR |
| 3. Composed conditions (MC/DC or MCC-Coverage) |
- | R | R | HR | HR |
| 4. Data Flow Analysis | - | R | R | HR | HR |
| 5. Path Coverage | - | R | R | HR | HR |
For any code which is not suitable for testing, the proof of correctness can be done with an other useful method like boundary value analysis, checklists, control flow analysis, or data flow analysis.
Static Software Analysis is highly recommended for Security Integration Levels 1-4.
Tool Support
Statement-, Branch-, MC/DC- and Modified Condition Coverage (MCC) can be analysed by Testwell CTC++. This coverage tool is suitable for For C, C++, Java and C# projects.Data flow analysis, path coverage and static code analysis can be done with GrammaTech CodeSonar®.
In order to analyse code complexity of C, C++, Java and C# projects, Testwell CMT++ and Testwell CMTJava can be used.
Certificate / Qualification Kit
For Testwell CTC++ 10.x we provide a Certificate of TÜV Süd Rail GmbH for the usage of Testwell CTC++ in safety critical projects (all SIL- and ASIL-levels of the supported standards).Verifysoft offers Qualification Kit for Testwell CTC++ (currently up to version 9.x) which provides documentation, test cases, and procedures that let you qualify Testwell CTC++ Test Coverage Analyser for projects based on the safety standards ISO 26262, IEC 61508, EN-50128, and DO-178C.
