Compliance to EN 50128 with the LDRA tool suite®
Overview
Safety is one of the key issues for railway applications. Railway safety is concerned with the protection of life and property through regulation, management and technology development of all forms of rail transportation. With modern technology, developers are increasingly turning to electronic / software solutions for implementing railway applications such as interlocking systems, signalling and train control systems, vital switch controllers and anti-collision systems (ACS). With the trend of increasing complexities, software content and mechatronic implementation, there are increasing risks from systematic failures due to malfunctioning software and hardware components.
EN 50128 is a standard for railway applications — Communications, signalling and processing systems — Software for railway control and protection systems. Some key areas which the standard seeks to address include software design, implementation and testing for electrical/electronic/programmable electronic systems used in railway applications. In addressing these aspects of development and design the standard makes use of Safety Integrity Levels (SILs), which specify the necessary safety measures for avoiding an unreasonable residual risk, with SIL 4 representing the most stringent level.
The scope of EN 50128 ranges across the entire software lifecycle including phases such as planning, design, development, integration, validation and maintenance, to ensure correctness, control and confidence in the software. These integral processes include requirement traceability, software design, coding and software verification and validation.
EN 50128 applies to any software forming part of a safety-related system or used to develop a safety-related system. It provides specific requirements applicable to support tools such as development and design tools, language translators, testing and debugging tools and configuration management tools. Traceability with respect to requirements at every stage of development and testing is a significant new addition to the latest release of the standard, EN 50128:2011.
For the more demanding SIL levels, the latest release also includes new references to the achievement of highest levels of structural coverage [Statement, Branch/Decision, LCSAJ (Linear Code Sequence and Jump)] and MC/DC (Modified Condition/Decision Coverage). It also provides an Object Oriented Software architecture approach for software design.
Both software analysis and requirement traceability tools are essential for cost conscious projects. The LDRA tool suite provides the most comprehensive requirement traceability, source code analysis, structural coverage and unit testing facilities for assisting organisations to meet EN 50128:2001 and EN 50128:2011 for software development and verification activities. As the application of EN 50128 becomes more widespread, it is essential that the choice of tools is based on known expertise.
EN 50128 applies to railway applications, communications, signaling and processing systems; and for software for railway control and protection systems. This standard is derived from IEC 61508.
There is much commonality with the IEC 61508 standard seen in Industrial automations, particularly with respect to the requirement for MC/DC (Modified Condition/Decision Coverage) and the structural coverage analysis process. The LDRA tool suite has a long, proven track record of ensuring compliance to such standards, and is therefore the logical choice for working in accordance with EN 50128.
The use of traceability and analysis tools for a project that must meet the EN 50128 standard offers significant productivity and cost benefits. Tools make compliance checking easier, less error prone and more cost effective. In addition, they make the creation, management, maintenance and documentation of requirements traceability straightforward and cost effective. When selecting a test tool to assist in achieving compliance to EN 50128, the following criteria should be considered:
- Does the tool provide complete forward and backward requirements traceability to enable linkage and documentation from all levels to the source code and associated test cases?
- Does the tool have comprehensive fault and coding standards checking capability?
- Does the tool enable analysis for all structural coverage analysis requirements?
- Can the tool perform MC/DC analysis in assignment statements as well as conditional statements?
- Is there tool availability for all the languages required in your project?
- Has the tool been utilised in this manner successfully already?
- Is tool support both flexible and extensive enough to meet changing requirements?
- Is the tool designed to support embedded systems?
- Can the tool support on target testing?
- Is the tool easy to use?
- The term Requirements Traceability refers to the ability to link system requirements to software safety requirements, and then from software safety requirements to source code and the associated test cases. Such traceability is highly desirable for ensuring the verifiability deemed necessary by the EN 50128 standard, which also notes a requirement for bi-directional traceability. Satisfying the demands of the standard in respect of requirements traceability would be very difficult without the use of an automated traceability tool.
- A key element of EN 50128 is the practice of allocating technical safety requirements in the system design and then developing that design further to derive item integration and a test plan, and subsequently the tests themselves. It implicitly includes software elements of the system, with the explicit subdivision of hardware and software development practices being dealt with further down the "V" model.
- TBreq supports this process through its extensive requirement traceability facilities. Not only do these facilities aid in the recording of the results of any walk through (for instance), but they also highlight any such actions, which require revisiting in the event of a change to the requirements.
EN 50128 details the software development process of the product as design and coding work continues. It specifically addresses:
- Software Requirement Specification and Traceability
- Software Architecture and Design
- Software Design and Implementation
- Software Component Testing
- Software Integration and Testing
- Software Validation
- Software Maintenance
As these themes are developed in this part of the standard, it becomes clear that irrespective of the required SIL level, assistance is available from the LDRA tool suite every step of the way.
Software Requirement Specification and Traceability:
TBmanager supports the monitoring and administration of traceability from requirements to source code to test cases/identifiers. It identifies and reports requirements and associated procedures mapped to these requirements. It also shows traceability between requirements and test case identifiers. TBreq produces the Software Verification Report, which provides an overview of the relationships between requirements, verification tasks, test case identifiers, source files and procedures.
Software Architectural Design
The standard calls for "verification of the architectural design". Graphical artifacts generated by the LDRA tool suite are ideally suited to support review of the implemented design against the design artifacts, either by walkthroughs or inspections.
Software Design and Implementation
TBvision has extensive standards checking capability, including industry leading compliance to MISRA-C: 1998, MISRA-C: 2004 or MISRA C++:2008, CERT C and Netrino C. TBvision reports source code violations both textually and graphically, making use of colour notations for added clarity.
During software component design and implementation, EN 50128 (Table – A.12) calls for coding standards to ensure the use of sound design principles for software unit implementation.
TBvision enforces software quality metrics such as Clarity, Maintainability, Testability, Cyclomatic Complexity, etc. Use is again made of colour notation to enhance clarity.
Software Component Testing
The standard requires that "Software unit testing should be planned, specified and executed ...". TBrun provides a graphical user interface for unit test specification, to create tests according to the defined specification, and to present a list of all defined test cases with appropriate pass/fail status.
Automatic creation of test harness stubbed functions and even test vectors (if desired) mean that unit test execution becomes a quick and easy process, requiring minimum specialist knowledge.
Software Integration and Testing
TBvision and TBrun have the capability to provide Structural Coverage Analysis, both at system test level and at unit test level. The coverage data derived from these two approaches can also be combined to provide the most effective test process for meeting project-specific needs.
Addressing all SIL levels with the LDRA tool suite
The LDRA tool suite is widely used for on target testing of embedded systems, in the development of software, to meet DO-178B and in other IEC 61508 based standards such as IEC 62304. The LDRA tool suite is equipped to support even the most demanding SIL level 4 applications.
Seamless integration with target hardware ensures that target testing is as efficient and effective as possible, with a host of mechanisms available to optimise extraction of test data from the target system.
Integration with Eclipse based operating systems takes integration one step further, whilst upstream integration with UML tools, such as IBM Rational Rhapsody, and Mathworks Simulink, provides an integrated test environment throughout the software development process.