1、BSI Standards PublicationBS EN 50128:2011Railway applications Communication, signallingand processing systems Software for railway controland protection systemsIncorporating corrigendum February 2014BS EN 50128:2011National forewordThis British Standard is the UK implementation of EN 50128:2011, inc
2、orporating corrigendum February 2014. It supersedes BS EN 50128:2001 which is withdrawn.It should be noted that this standard is presently undergoing further revision to expand its remit to cover software applications within the context of the whole railway system, including, but not limited to, rol
3、ling stock, fixed installations as well as signalling systems.When revised it is planned that EN 50128 will become a part of the new suite of EN 50126 railway standards.The UK participation in its preparation was entrusted by Technical Committee GEL/9, Railway Electrotechnical Applications to Subcom
4、mittee GEL/9/1, Railway Electrotechnical Applications - Signalling and communications.A list of organizations represented on this subcommittee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible fo
5、r its correct application.The British Standards Institution 2014. Published by BSI Standards Limited 2014ISBN 978 0 580 86207 6ICS 35.240.60; 45.020; 93.100Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of the S
6、tandards Policy and Strategy Committee on 31 July 2011.Amendments/corrigenda issued since publicationDate Text affected30 April 2014 Implementation of CENELEC corrigendum February 2014: DOW date extended to 2017-04-25 in the EN ForewordBRITISH STANDARDBS EN 50128:2011EUROPEAN STANDARD EN 50128 NORME
7、 EUROPENNE EUROPISCHE NORM June 2011 CENELEC European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung Management Centre: Avenue Marnix 17, B - 1000 Brussels 2011 CENELEC - All rights of exploitation in an
8、y form and by any means reserved worldwide for CENELEC members. Ref. No. EN 50128:2011 E ICS 35.240.60; 45.020; 93.100 English version Railway applications - Communication, signalling and processing systems - Software for railway control and protection systems Applications ferroviaires - Systmes de
9、signalisation, de tlcommunication et de traitement - Logiciels pour systmes de commande et de protection ferroviaire Bahnanwendungen - Telekommunikationstechnik, Signaltechnik und Datenverarbeitungssysteme - Software fr Eisenbahnsteuerungs- und berwachungssysteme This European Standard was approved
10、by CENELEC on 2011-04-25. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
11、standards may be obtained on application to the Central Secretariat or to any CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and
12、 notified to the Central Secretariat has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, La
13、tvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom. Incorporating corrigendum February 2014- 2 - Contents Foreword . 6 Introduction . 71 Scope . 102 Normative references . 113 Terms, definition
14、s and abbreviations . 113.1 Terms and definitions . 113.2 Abbreviations 154 Objectives, conformance and software safety integrity levels 165 Software management and organisation 175.1 Organisation, roles and responsibilities 175.2 Personnel competence . 205.3 Lifecycle issues and documentation 216 S
15、oftware assurance 236.1 Software testing 236.2 Software verification . 256.3 Software validation . 276.4 Software assessment . 286.5 Software quality assurance 306.6 Modification and change control. 336.7 Support tools and languages 347 Generic software development 377.1 Lifecycle and documentation
16、for generic software . 377.2 Software requirements . 377.3 Architecture and Design . 407.4 Component design . 467.5 Component implementation and testing 497.6 Integration 507.7 Overall Software Testing / Final Validation 528 Development of application data or algorithms: systems configured by applic
17、ation data or algorithms 54BS EN 50128:2011 EN 50128:2011- 3 - 8.1 Objectives 548.2 Input documents . 558.3 Output documents 558.4 Requirements 559 Software deployment and maintenance . 609.1 Software deployment 609.2 Software maintenance 62Annex A (normative) Criteria for the Selection of Technique
18、s and Measures 65A.1 Clauses tables 66A.2 Detailed tables 73Annex B (normative) Key software roles and responsibilities . 79Annex C (informative) Documents Control Summary . 88Annex D (informative) Bibliography of techniques 90D.1 Artificial Intelligence Fault Correction 90D.2 Analysable Programs 90
19、D.3 Avalanche/Stress Testing . 91D.4 Boundary Value Analysis 91D.5 Backward Recovery 92D.6 Cause Consequence Diagrams 92D.7 Checklists . 92D.8 Control Flow Analysis 93D.9 Common Cause Failure Analysis . 93D.10 Data Flow Analysis 94D.11 Data Flow Diagrams . 94D.12 Data Recording and Analysis 95D.13 D
20、ecision Tables (Truth Tables). 95D.14 Defensive Programming . 96D.15 Coding Standards and Style Guide . 96D.16 Diverse Programming . 97D.17 Dynamic Reconfiguration 98D.18 Equivalence Classes and Input Partition Testing 98D.19 Error Detecting and Correcting Codes 98D.20 Error Guessing 99D.21 Error Se
21、eding 99D.22 Event Tree Analysis 99D.23 Fagan Inspections. 100D.24 Failure Assertion Programming 100D.25 SEEA Software Error Effect Analysis . 100D.26 Fault Detection and Diagnosis 101D.27 Finite State Machines/State Transition Diagrams . 102D.28 Formal Methods 102D.29 Formal Proof . 108BS EN 50128:
22、2011 EN 50128:2011- 4 - D.30 Forward Recovery . 108D.31 Graceful Degradation 108D.32 Impact Analysis . 109D.33 Information Hiding / Encapsulation . 109D.34 Interface Testing . 110D.35 Language Subset 110D.36 Memorising Executed Cases 110D.37 Metrics 111D.38 Modular Approach . 111D.39 Performance Mod
23、elling . 112D.40 Performance Requirements 112D.41 Probabilistic Testing 113D.42 Process Simulation . 113D.43 Prototyping / Animation . 114D.44 Recovery Block . 114D.45 Response Timing and Memory Constraints 114D.46 Re-Try Fault Recovery Mechanisms. 115D.47 Safety Bag 115D.48 Software Configuration M
24、anagement . 115D.49 Strongly Typed Programming Languages 115D.50 Structure Based Testing . 116D.51 Structure Diagrams . 116D.52 Structured Methodology 117D.53 Structured Programming . 117D.54 Suitable Programming languages . 118D.55 Time Petri Nets . 119D.56 Walkthroughs / Design Reviews . 119D.57 O
25、bject Oriented Programming 119D.58 Traceability 120D.59 Metaprogramming . 121D.60 Procedural programming 121D.61 Sequential Function Charts . 121D.62 Ladder Diagram 122D.63 Functional Block Diagram . 122D.64 State Chart or State Diagram . 122D.65 Data modelling 122D.66 Control Flow Diagram/Control F
26、low Graph . 123D.67 Sequence diagram 124D.68 Tabular Specification Methods . 124D.69 Application specific language 124D.70 UML (Unified Modeling Language) . 125D.71 Domain specific languages . 126Bibliography 127BS EN 50128:2011 EN 50128:2011- 5 - Figures Figure 1 Illustrative Software Route Map . 9
27、Figure 2 Illustration of the preferred organisational structure 18Figure 3 Illustrative Development Lifecycle 1 22Figure 4 Illustrative Development Lifecycle 2 23Tables Table 1 - Relation between tool class and applicable sub-clauses 37Table A.1 Lifecycle Issues and Documentation (5.3) . 66Table A.2
28、 Software Requirements Specification (7.2) . 68Table A.3 Software Architecture (7.3) 69Table A.4 Software Design and Implementation (7.4) 70Table A.5 Verification and Testing (6.2 and 7.3) . 71Table A.6 Integration (7.6) . 71Table A.7 Overall Software Testing (6.2 and 7.7) 71Table A.8 Software Analy
29、sis Techniques (6.3) 72Table A.9 Software Quality Assurance (6.5) . 72Table A.10 Software Maintenance (9.2) 72Table A.11 Data Preparation Techniques (8.4) . 73Table A.12 Coding Standards 73Table A.13 Dynamic Analysis and Testing 74Table A.14 Functional/Black Box Test . 74Table A.15 Textual Programmi
30、ng Languages . 75Table A.16 Diagrammatic Languages for Application Algorithms . 75Table A.17 Modelling . 76Table A.18 Performance Testing . 76Table A.19 Static Analysis . 76Table A.20 Components 77Table A.21 Test Coverage for Code 77Table A.22 Object Oriented Software Architecture 78Table A.23 Objec
31、t Oriented Detailed Design . 78Table B.1 Requirements Manager Role Specification . 79Table B.2 Designer Role Specification 80Table B.3 Implementer Role Specification. 81Table B.4 Tester Role Specification 82Table B.5 Verifier Role Specification . 83Table B.6 Integrator Role Specification . 84Table B
32、.7 Validator Role Specification. 85Table B.8 Assessor Role Specification 86Table B.9 Project Manager Role Specification 87Table B.10 Configuration Manager Role Specification 87Table C.1 Documents Control Summary . 88BS EN 50128:2011 EN 50128:2011- 6 - Foreword This European Standard was prepared by
33、SC 9XA, Communication, signalling and processing systems, of Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways. . It was submitted to the Formal Vote and was approved by CENELEC as EN 50128 on 2011-04-25. This document supersedes EN 50128:2001. The main changes w
34、ith respect to EN 50128:2001 are listed below: requirements on software management and organisation, definition of roles and competencies, deployment and maintenance have been added; a new clause on tools has been inserted, based on EN 61508-2:2010; tables in Annex A have been updated. Attention is
35、drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and CENELEC shall not be held responsible for identifying any or all such patent rights. The following dates were fixed: latest date by which the EN has to be implemented at national level by
36、 publication of an identical national standard or by endorsement (dop) 2012-04-25 latest date by which the national standards conflicting with the EN have to be withdrawn (dow) 201 -04-25 This European Standard should be read in conjunction with EN 50126-1:1999 “Railway applications The specificatio
37、n and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) Part 1: Basic requirements and generic process” and EN 50129:2003 “Railway applications Communication, signalling and processing systems Safety related electronic systems for signalling“. _ 7BS EN 50128:2011 EN 50128
38、:2011- 7 - Introduction This European Standard is part of a group of related standards. The others are EN 50126-1:1999 “Railway applications The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) Part 1: Basic requirements and generic process” and EN 5012
39、9:2003 “Railway applications Communication, signalling and processing systems Safety related electronic systems for signalling“. EN 50126-1 addresses system issues on the widest scale, while EN 50129 addresses the approval process for individual systems which can exist within the overall railway con
40、trol and protection system. This European Standard concentrates on the methods which need to be used in order to provide software which meets the demands for safety integrity which are placed upon it by these wider considerations. This European Standard provides a set of requirements with which the
41、development, deployment and maintenance of any safety-related software intended for railway control and protection applications shall comply. It defines requirements concerning organisational structure, the relationship between organisations and division of responsibility involved in the development
42、, deployment and maintenance activities. Criteria for the qualification and expertise of personnel are also provided in this European Standard. The key concept of this European Standard is that of levels of software safety integrity. This European Standard addresses five software safety integrity le
43、vels where 0 is the lowest and 4 the highest one. The higher the risk resulting from software failure, the higher the software safety integrity level will be. This European Standard has identified techniques and measures for the five levels of software safety integrity. The required techniques and m
44、easures for software safety integrity levels 0-4 are shown in the normative tables of Annex A. In this version, the required techniques for level 1 are the same as for level 2, and the required techniques for level 3 are the same as for level 4. This European Standard does not give guidance on which
45、 level of software safety integrity is appropriate for a given risk. This decision will depend upon many factors including the nature of the application, the extent to which other systems carry out safety functions and social and economic factors. It is within the scope of EN 50126-1 and EN 50129 to
46、 define the process of specifying the safety functions allocated to software. This European Standard specifies those measures necessary to achieve these requirements. EN 50126-1 and EN 50129 require that a systematic approach be taken to a) identify hazards, assessing risks and arriving at decisions
47、 based on risk criteria, b) identify the necessary risk reduction to meet the risk acceptance criteria, c) define an overall System Safety Requirements Specification for the safeguards necessary to achieve the required risk reduction, d) select a suitable system architecture, e) plan, monitor and control the technical and managerial activities necessary to translate the System Safety Requirements Specification into a Safety-Related System of a validated safety integrity. As decomposition of the specification into a design comprising safety-related s
