New standard EN 50716:2023 «Requirements for software development» Part 2
In November 2023, CENELEC issued the new EN 50716:2023 “Railway Applications – Requirements for software development” (DAV: 17 November 2023). This replaces the previous standard EN 50128. This replacement and the associated changes are relevant to our work at CSA Engineering, which involves customer mandates and projects in the domain of safety. Based on the Swiss version of the new standard EN 50716:2023, this article focuses on a few main changes to its predecessor EN 50128:2011.
The main changes in Sections 1 to 7 were set out in part 1, see New standard EN 50716:2023 «Requirements for software development» Part 1. In this article, we will now focus on Sections 8 and 9.
The following main changes are specified in Sections 8 and 9
8 Development of application data: systems configured by application data
The term “application algorithms” has been deleted and the corresponding text has been adapted. The section describes how to configure generic software using a set of application data or application software*. The development process is to be assessed for SIL1 to SIL4. The specifications set out in Sections 4 to 7 and 9 apply to application software.
Additional documents are now to be created in this phase for “application integration test specification,” “application integration test report” and an “application release note”.
Regarding the development process for the application software, a note has been added to indicate that this must be described in the “application preparation plan”. Here are some details:
8.4.1.8 Instead of a risk analysis, a failure analysis is now required. The method to be used is not specified in more detail.
8.4.5 The term “application integration test” is now used here in accordance with the heading. The note indicates that in 8.4.4 a simulated environment is typically used and the integration should take place on a representative target system.
8.4.7.7 now requires an “application release note” to accompany the application data.
8.4.7.8 lists the requirements for the “application release note”.
8.4.8 Development of generic software is omitted, as Sections 4 to 7 and 9 apply.
Techniques and methods in Table A.11 have remained the same except that for functional tests, Table A.13 is now referenced. Table A.13 contains further techniques from Table A.14, which is now empty, such as process simulation (D.42), prototyping (D.43), tests based on cause and effect diagrams (D.6). Performance modelling (D.39) is no longer listed. Tests with equivalence classes and input data subdivision (D.18) is now highly recommended (HR) from SIL 1.
* Definition of application software: software that is specific to the solution of a problem submitted by an end use [SOURCE IEC 60050: 171-05-04].
The example shows the potential connections between application data and software. In this example, the bootloader does not seem to use any application data, so in our opinion Section 8 should only be used for “application software” and “firmware”. However, if the bootloader checks the integrity of the firmware before it is started, this assumption is incorrect. The image below should then be expanded so that the connection “bootloader checks integrity of firmware” is visible. Depending on the result of the integrity test, the bootloader may have to behave differently. Thus Section 8 would also be applicable for the bootloader.
9 Software deployment and maintenance
9.1 Software deployment: The software release, deployment plan and release notes do not apply.
In our opinion, this should be covered by the new release note in Section 8. It is assumed that all software is configured by application data. This will also apply to modern systems with communication interfaces that require at least one specific network address.
9.2 Software maintenance: It has been explicitly added that the assessor must prepare a software assessment report for SIL 1 to SIL 4. The reference to the withdrawn ISO/IEC 9126 “software quality” with regard to maintainability has been removed. The successor standards ISO/IEC 25002:2024, ISO/IEC 25010:2023, ISO/IEC 25019:2023 “Systems and Software Quality Requirements and Evaluation (SQuaRE)” are not explicitly listed.
The techniques and methods in Table A.10 have not changed.
Conclusion
The analysis (parts 1 and 2) has shown that the new [SN EN 50716:2023] is structurally aligned with the predecessor standard [SN EN 50128:2011], making it easy to navigate and get to grips with the content. We believe that the aspects that have been adapted in [SN EN 50716:2023] make it a successful project that uses a standardised framework to describe how software for railway applications has to be developed, regardless of whether it is intended for infrastructure or vehicles. A detailed analysis will be required to adapt existing templates, checklists and templates based on the old standards.
Are you planning normative or general requirements engineering work?
We at CSA Engineering AG would be happy to support you with your project. Contact us for an informal discussion about the options available and how we can support you.