The standards EN 50128 Software for railway control and protection systems and EN 50129 Safety related electronic systems for signaling represent the railway application-specific interpretation of the international standard series - IEC 61508 (Functional safety of electrical/ electronic/programmable electronic safety-related systems).
The EN 50128 standard describes software safety integrity levels and identifies requirements for personnel and their responsibilities, lifecycle issues, and documentation. It gives detailed descriptions of objectives, input documents, output documents and requirements for software requirements specification, architecture, design and implementation, verification and testing as well as software/hardware integration, software validation, quality assurance, and maintenance.
EN50128 takes into account the five software integrity levels (SIL) that range from the very critical (SIL-4), such as safety signaling to the non-critical, such as management information systems (SIL-0).
|Safety Integrity Level||PROBABILITY OF DANGEROUS FAILURE||RISK REDUCTION FACTOR|
|SIL 4||≥ 10-5 to < 10-4||100,000 to 10,000|
|SIL 3||≥ 10-4 to < 10-3||10,000 to 1,000|
|SIL 2||≥ 10-3 to < 10-2||1,000 to 100|
|SIL 1||≥ 10-2 to < 10-1||100 to 100|
Definition of EN 50128 Safety Integrity Levels
Other standards based on IEC 61508 may implement either of two definitions of Safety Integrity Levels. The Demand Mode definition of IEC 61508 is reserved for systems which frequency of operation is intermittent (such as systems covered under EN 50128), while the Continuous Mode covers systems that are used in a sustained manner over a period of time. The following table provides the difference between the two definitions, and what a failure of the system may mean at different SIL levels.
|SAFETY INTEGRITY LEVEL||DEMAND MODE||CONTINUOUS MODE||CONSEQUENCE OF A FAILURE|
|Level||AVAILABILITY||Probability of a failure on demand||Probability of a dangerous failure per hour||-|
|SIL 4||>99.99%||≥ 10-5 to < 10-4||≥ 10-9 to < 10-8||Potential for fatalities in the community|
|SIL 3||99.99%||≥ 10-4 to < 10-3||≥ 10-8 to < 10-7||Potential for multiple fatalities|
|SIL 2||99%-99.9%||≥ 10-3 to < 10-2||≥ 10-7 to < 10-6||Potential for major injuries or one fatality|
|SIL 1||90-99%||≥ 10-2 to < 10-1||≥ 10-6 to < 10-5||Potential for minor injuries|
|SIL 0||No Requirement||N/td>|
Ensuring Complete Embedded Software Testing
To ensure predictable software operation, organizations need to know they tested 100% of the application code. VectorCAST/Cover does this easily by collecting coverage information during system test activities. The tool allows you to determine adequacy of your system testing. If parts of the code are not covered, then perhaps more testing is required for those areas of the application.
Why System Testing Isn't Enough for 100% Reliability
System testing does not ensure 100% coverage because many functions have error-handling code, which can be difficult or impossible to stimulate using a fully integrated application. The solution is to perform unit and integration testing on those functions using VectorCAST/C++ or VectorCAST/Ada. Because VectorCAST/Cover shares coverage information with VectorCAST for C/C++ and VectorCAST for Ada, you can easily produce coverage reports showing the combined coverage from all of your test activities.
Compliance with Highest Railway Standards
Our tools have been successfully used by numerous clients that need to comply with rigorous industrial standards, including those used in the Railway industry.