EN 50716 Railway Applications – Requirements for Software Development
The standard EN 50716:2023 was adopted by CENELEC (European Committee for Electrotechnical Standardization) at the end of 2023.
EN 50716 replaces EN 50128:2011 and EN 50657:2017. It describes the requirements for the development, provision and maintenance of software for railroad applications (control, command and signaling applications and applications on railroad vehicles).
For the analysis and testing of software components, static analysis (including control flow analysis and data flow analysis), dynamic analysis and tests as well as test coverage for codes are highly recommended for all software integrity levels (SIL 1 to SIL 4).
The use of coding standards is highly recommended for basic integrity, SIL 1 and SIL 2 and even mandatory for SIL 3 and SIL 4.
For all safety levels, it is strongly recommended that the size and complexity of functions, subroutines and methods is limited.
Required Code Coverage
Depending on the safety integration level (SIL), EN 50716 requires in table A.21 for structure-based (code-based or white box tests) the following test coverage for codes (R stands for “recommended”, HR stands for “highly recommended”):Basic integrity | SIL 1 | SIL 2 | SIL 3 | SIL 4 | |
1 Statement Coverage | R | HR | HR | HR | HR |
2 Branch Coverage | - | R | R | HR | HR |
3 Compound conditions (MC/DC Coverage) |
- | R | R | HR | HR |
4 Dataflow | - | R | R | HR | HR |
5 Path coverage | - | R | R | HR | HR |
For SIL 3 or SIL 4, the test coverage at component level should be measured as follows:
Branches (2) and compound conditions (3)
or
Branches (2) and data flow (4)
or
Path (5)
or
test coverage at integration level should be measured at one or more of 2, 3, 4 or 5.
Other criteria for test coverage (depending on the software architecture and programming language) can be used if this can be justified.
Tool Support
Statement-, Branch-, MC/DC- and Modified Condition Coverage (MCC) can be analysed by Testwell CTC++. This coverage tool is suitable for C, C++ and Java projects.Data flow analysis, code complexity and static code analysis can be done with CodeSecure CodeSonar.
In order to analyse code complexity of C, C++, Java and C# projects, Testwell CMT++ and Testwell CMTJava can be used.
TÜV Süd Certificate for the Code Coverage Analyzer Testwell CTC++
- is suitable to be used in safety-related development according to IEC 61508:2010 for any SIL,
- is qualified to be used in a standard-compliant development process according to ISO 26262:2018 for any ASIL,
- is suitable to be used in safety-related software development according to EN 50716:2023 for any SIL,
- is suitable to be used in safety related development according to IEC 62304:2006+A1:2015 for any software safety class.
For further information regarding the usage of Testwell CTC++ in safety critical development, please do not hesitate to contact us.