EN 50657 Railway Applications – Rolling Stock Applications – Software on Board Rolling Stock
As the successor standard to EN 50128:2001, the European Standard EN 50657 specifies the process and technical requirements for the development of software for programmable electronic systems for use on rail vehicles.
The standard exclusively concerns software and the interaction between software and the system to which the software belongs - regardless of whether it is safety-relevant or non-safety-relevant software. Software that is part of a signaling device (railroad control and monitoring) of trains is not affected by EN 50657.
EN 50657 defines the objective of software testing as the verification of the behavior or performance of the software with respect to the corresponding test specification to the degree achievable by the selected test coverage (Chapter 6.1.1). The criteria and the degree of test coverage to be achieved shall be stated in the test specification. Likewise, an assessment of test coverage and test completeness must be created.
All testing, verification and analysis must have a sufficiently high coverage of the implemented code (Chapter 6.7.4.6).
According to table A.5 techniques such as static analysis, dynamic analysis and tests as well as code coverage are highly recommended for SIL 1 up to SIL 4.
The collection of metrics is recommended.
Regarding Static Analysis, limit value analysis, checklists, control and data flow analysis, failure expectation, and walkthroughs/design reviews are recommended or strongly recommended.
Required Code Coverage
Depending on the safety integration level (SIL), the EN 50657 standard requires the following test coverage in Table A.21 (R stands for "recommended", HR stands for "highly recommended"):Basic integrity | SIL 1 | SIL 2 | SIL 3 | SIL 4 | |
Statement Coverage | - | HR | HR | HR | HR |
Branch Coverage | - | R | R | HR | HR |
Compound conditions (MC/DC Coverage) |
- | R | R | HR | HR |
Dataflow | - | R | R | HR | HR |
Path coverage | - | R | R | HR | HR |
Tool Support
Statement-, Branch-, MC/DC- and Modified Condition Coverage (MCC) can be analysed by Testwell CTC++. This coverage tool is suitable for C, C++, Java and C# projects.Data flow analysis, path coverage and static code analysis can be done with CodeSecure CodeSonar®.
In order to analyse code complexity of C, C++, Java and C# projects, Testwell CMT++ and Testwell CMTJava can be used.
TÜV Süd Certificate for the Code Coverage Analyzer Testwell CTC++
- is suitable to be used in safety-related development according to IEC 61508:2010 for any SIL,
- is qualified to be used in a standard-compliant development process according to ISO 26262:2018 for any ASIL,
- is suitable to be used in safety-related software development according to EN 50128:2011/A2:2020 for any SIL,
- is suitable to be used in safety related development according to IEC 62304:2006+A1:2015 for any software safety class.
For further information regarding the usage of Testwell CTC++ in safety critical development, please do not hesitate to contact us.