prEN 50126-5

SLOVENSKI STANDARD
oSIST prEN 50126-5:2013
01-januar-2013
Železniške naprave - Specifikacija in prikaz zanesljivosti, razpoložljivosti,
vzdrževalnosti in varnosti (RAMS) - 5. del: Funkcinalna varnost - Programska
oprema
Railway applications - The Specification and Demonstration of Reliability, Availability,
Maintainability and Safety (RAMS) - Part 5: Functional Safety - Software
Bahnanwendungen - Spezifikation und Nachweis von Zuverlässigkeit, Verfügbarkeit,
Instandhaltbarkeit und Sicherheit (RAMS) -- Teil 5: Funktionale Sicherheit - Software
Applications ferroviaires - Spécification et démonstration de la fiabilité, de la disponibilité,
de la maintenabilité et de la sécurité (FDMS) - Partie 5: Sécurité fonctionnelle - Logiciel
Ta slovenski standard je istoveten z: prEN 50126-5:2012
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
transportu in trgovini and trade
45.020 Železniška tehnika na Railway engineering in
splošno general
oSIST prEN 50126-5:2013 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN 50126-5:2013
oSIST prEN 50126-5:2013
DRAFT
EUROPEAN STANDARD
NORME EUROPÉENNE
October 2012
EUROPÄISCHE NORM
ICS 29.280; 45.020 Will supersede EN 50128:2011

English version
Railway applications -
The Specification and Demonstration of Reliability, Availability,
Maintainability and Safety (RAMS) -
Part 5: Functional Safety -
Software
Applications ferroviaires -  Bahnanwendungen -
Spécification et démonstration de la fiabilité, Spezifikation und Nachweis von
de la disponibilité, de la maintenabilité et de la Zuverlässigkeit, Verfügbarkeit,
sécurité (FDMS) - Instandhaltbarkeit und Sicherheit (RAMS) -
Partie 5: Sécurité fonctionnelle - Teil 5: Funktionale Sicherheit -
Logiciel Software
This draft European Standard is submitted to CENELEC members for CENELEC enquiry.
Deadline for CENELEC: 2013-03-29.

It has been drawn up by CLC/TC 9X.

If this draft becomes a European Standard, CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CENELEC in three official versions (English, French, German). A version in
any other language made by translation under the responsibility of a CENELEC member into its own language and notified to
the CEN-CENELEC Management Centre has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech
Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,
Spain, Sweden, Switzerland, Turkey and the United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Management Centre: Avenue Marnix 17, B - 1000 Brussels

© 2012 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Project: 21755 Ref. No. prEN 50126-5:2012 E

oSIST prEN 50126-5:2013
13001 Contents Page
13002 Foreword . 4
13003 Introduction . 6
13004 1 Scope . 9
13005 2 Normative references . 10
13006 3 Terms and definitions . 11
13007 4 Abbreviations. 11
13008 5 Overall framework of EN 50126-5 . 12
13009 6 Software Management and Organisation . 13
13010 6.1 Organisation, Roles and Responsibilities . 13
13011 6.2 Personnel Competence . 16
13012 6.3 Lifecycle Issues and Documentation . 17
13013 7 Software assurance . 21
13014 7.1 Analysis . 21
13015 7.2 Software testing . 23
13016 7.3 Software Verification . 24
13017  Software Validation . 27
7.4
13018 7.5 Independent Software Assessment . 29
13019 7.6 Software Quality Assurance . 31
13020 7.7 Safety Management . 33
13021 7.8 Configuration Management and Modification Control . 35
13022 7.9 Support Tools and Languages. 36
13023 8 Generic Software Development . 39
13024 8.1 Lifecycle and Documentation for Generic Software . 39
13025 8.2 Software Requirements . 39
13026 8.3 Architecture and Design . 41
13027 8.4 Component Design . 46
13028 8.5 Component Implementation and Testing . 48
13029 8.6 Integration . 49
13030 8.7 Final Validation and Independent Assessment . 51
13031 9 Development of Application Data or Algorithms: systems configured by application data
13032 or algorithms. 58
13033 9.1 Objectives . 58
13034 9.2 Input . 58
13035 9.3 Deliverables . 58
13036 9.4 Requirements . 59
13037 10 Software Deployment and Maintenance . 63
13038 10.1 Software Deployment . 63
13039 10.2 Software Maintenance . 65
13040 Annex A (normative) Criteria for the Selection of Techniques and Measures . 68
13041 Annex B (normative) Key Software Roles and Responsibilities . 82
13042 Annex C (informative) Documents Control Summary . 90
13043 Annex D (informative) Multi-core and Multi-threaded Programming . 92
13044 Annex E (informative) Structure of Software Safety Case . 94
13045 Annex F (informative) Bibliography of Techniques . 103
13046 Bibliography . 136

oSIST prEN 50126-5:2013
- 3 - prEN 50126-5:2012
13047 Figures
13048 Figure 1 – Illustrative Software Route Map . 8
13049 Figure 2 – Illustration of the preferred organisational structure . 14
13050 Figure 3 – Illustrative Development Lifecycle 1 . 19
13051 Figure 4 – Illustrative Development Lifecycle 2 . 20
13052 Figure E.1 – Structure of Safety Case . 95
13053 Figure E.2 – Structure of Technical Safety Report . 96
13054 Tables
13055 Table 1 – Relation between tool class and applicable paragraphs of 7.9.4.14 . 38
13056 Table A.1 – Lifecycle Issues and Documentation (6.3) . 69
13057 Table A.2 – Software Requirements Specification (8.2) . 71
13058 Table A.3 – Software Architecture (8.3) . 72
13059 Table A.4 – Software Design and Implementation (8.4) . 73
13060 Table A.5 – Verification and Testing (6.2 and 7.3) . 74
13061 Table A.6 – Integration (7.6) . 74
13062 Table A.7 – Overall Software Testing (7.3 and 8.7) . 74
13063 Table A.8 – Software Analysis Techniques (7.4) . 75
13064 Table A.9 – Software Quality Assurance (7.6) . 75
13065 Table A.10 – Software Maintenance (10.2) . 75
13066 Table A.11 – Data Preparation Techniques (9.4) . 76
13067 Table A.12 – Coding Standards . 76
13068 Table A.13 – Dynamic Analysis and Testing . 77
13069 Table A.14 – Functional/Black Box Test . 77
13070 Table A.15 – Textual Programming Languages . 78
13071 Table A.16 – Diagrammatic Languages for Application Algorithms . 78
13072 Table A.17 – Modelling . 79
13073 Table A.18 – Performance Testing . 79
13074 Table A.19 – Static Analysis . 79
13075 Table A.20 – Components . 80
13076 Table A.21 – Test Coverage for Code . 80
13077 Table A.22 – Object Oriented Software Architecture . 81
13078 Table A.23 – Object Oriented Detailed Design . 81
13079 Table B.1 – Software Requirements Manager Role Specification . 82
13080 Table B.2 – Software Designer Role Specification . 83
13081 Table B.3 – Software Implementer Role Specification . 83
13082 Table B.4 – Software Tester Role Specification . 84
13083 Table B.5 – Software Verifier Role Specification . 84
13084 Table B.6 – Software Integrator Role Specification . 85
13085 Table B.7 – Software Validator Role Specification . 86
13086 Table B.8 – Software Assessor Role Specification . 87
13087 Table B.9 – Software Project Manager Role Specification . 88
13088 Table B.10 – Software Configuration Manager Role Specification . 88
13089 Table B.11 – Software Safety Manager Role Specification . 89
13090 Table C.1 – Documents Control Summary . 90
oSIST prEN 50126-5:2013
13092 Foreword
13093 This document [prEN 50126-5:2012] has been prepared by CLC/TC 9X "Electrical and electronic
13094 applications for railways".
13095 This document is currently submitted to the Enquiry.
13096 EN 50126 "Railway applications – The specification and demonstration of Reliability, Availability,
13097 Maintainability and Safety (RAMS)" consists of the following parts:
13098 – Part 1: Generic RAMS process;
13099 – Part 2: Systems approach to safety;
13100 – Part 4: Functional safety – Electrical/Electronic/Programmable electronic systems;
13101 – Part 5: Functional safety – Software.
13102 This new edition of EN 50126 (all parts) will supersede EN 50126-1:1999, CLC/TR 50126-2:2007,
13103 CLC/TR 50126-3:2008, EN 50128:2011 and EN 50129:2003.
13104 This part of EN 50126 will supersede EN 50128:2011.
13105 This document has been prepared under a mandate given to CENELEC by the European Commission
13106 and the European Free Trade Association, and supports essential requirements of EU Directive(s).
13107 This European Standard supports the European Railway Directive 2004/49/EC (Railway Safety Directive)
13108 and the Commission Regulation (EC) No 352/2009 of 24 April 2009 on the adoption of a common safety
13109 method on risk evaluation and independent assessment as referred to in Article 6(3)(a) of Directive
13110 2004/49/EC of the European Parliament and of the Council.

oSIST prEN 50126-5:2013
- 5 - prEN 50126-5:2012
oSIST prEN 50126-5:2013
13112 Introduction
13113 EN 50126-1:1999 was produced to introduce the application of a systematic RAMS management process
13114 in the railway sector. For safety related electronic systems for signalling, EN 50128:2011 and
13115 EN 50129:2003 were produced. Through the application of these European Standards and the
13116 experiences gained over the recent years, the need for revision and restructuring became apparent with a
13117 need to deliver a systematic and coherent approach to RAMS applicable to all the railway application
13118 fields Signalling, Rolling Stock and Fixed Installations.
13119 The revision work improved the coherence and consistency of the European Standards, the concept of
13120 safety management and the practical usage of EN 50126 and took into consideration the existing and
13121 related Technical Reports as well.
13122 This European Standard provides railway duty holders and the railway suppliers, throughout the
13123 European Union, with a process which will enable the implementation of a consistent approach to the
13124 management of reliability, availability, maintainability and safety, denoted by the acronym RAMS.
13125 Processes for the specification and demonstration of RAMS requirements are cornerstones of this
13126 standard.
13127 EN 50126 is the railway sector specific application of IEC 61508. Meeting the requirements in
13128 this European Standard is sufficient to ensure that additional compliance to IEC 61508 does not
13129 need to be evaluated.
13130 With regard to safety EN 50126-1 provides a Safety Management Process which is supported by
13131 guidance and methods described in EN 50126-2.
13132 EN 50126-1 and EN 50126-2 are independent from the technology used. EN 50126-4 and EN 50126-5
13133 provide guidance specific to safety related E/E/EP technology of railway applications and their application
13134 depends on the outcome of the safety related methods described in EN 50126-2. As far as safety is
13135 concerned, EN 50126 takes the perspective of functional safety. This does not exclude other aspects of
13136 safety. However, these are not the focus.
13137 The aims set for revision of EN 50126 required a better understanding of the systems approach and
13138 improved methods for applying the safety management process described in EN 50126-1. EN 50126-2
13139 provides this guidance.
13140 The application of this European Standard shall be adapted to the specific requirements of the system
13141 under consideration.
13142 This European Standard can be applied systematically by the railway duty holders and railway suppliers,
13143 throughout all phases of the life cycle of a railway application, to develop railway specific RAMS
13144 requirements and to achieve compliance with these requirements. The systems-level approach
13145 developed by this European Standard facilitates independent assessment of the RAMS interactions
13146 between elements of railway applications even if they are of complex nature.
13147 This European Standard promotes co-operation between the stakeholders of Railways in the
13148 achievement of an optimal combination of RAMS and cost for railway applications. Adoption of this
13149 European Standard will support the principles of the European Single Market and facilitate European
13150 railway interoperability.
13151 The process defined by this European Standard assumes that railway duty holders and railway suppliers
13152 have business-level policies addressing Quality, Performance and Safety. The approach defined in this
13153 European Standard is consistent with the application of quality management requirements contained
13154 within the ISO 9000 series of International standards.
13155 With the term document this European Standard rather means technical contents and not necessarily
13156 single physical documents. Such technical contents can arbitrarily be combined to physical documents
13157 dependent on the needs of the specific project. Technical contents can also be omitted in the process-
13158 tailoring step which should take place in the early planning phase of a project. The omission of technical

oSIST prEN 50126-5:2013
- 7 - prEN 50126-5:2012
13159 contents has however to be justified with technical arguments. The tailoring process is best documented
13160 in a Project Document List, declaring which documents with which technical contents are planned to be
13161 created, by whom and in which phase of the project. Omitted technical contents should be highlighted
13162 and the omission justified.
13163 The current state-of-the-art is such that neither the application of quality assurance methods (so-called
13164 fault avoiding measures and fault detecting measures) nor the application of software fault tolerant
13165 approaches can guarantee the absolute safety of the software. The proof of the absence of faults, in
13166 reasonably complex safety-related software, especially the absence of specification and design faults is
13167 currently a formidable if not unattainable task. Adopting a systematic principled process and employing
13168 competent resources constitute current best practice in software development. The principles applied in
13169 developing high integrity software include, but are not restricted to
13170 – top-down design methods,
13171 – modularity,
13172 – verification of each phase of the development lifecycle,
13173 – verified components and component libraries,
13174 – clear documentation and traceability,
13175 – auditable documents,
13176 – validation,
13177 – assessment,
13178 – configuration management and change control and
13179 – appropriate consideration of organisation and personnel competency issues.
13180 This European Standard does not mandate the use of a particular software development lifecycle.
13181 However, illustrative lifecycle and documentation sets are given in 6.3, Figure 3 and Figure 4 and in 8.1.

oSIST prEN 50126-5:2013
Obtain System Requirements Specification,
System Safety Requirements Specification
System Architecture Description and System
Safety Plan for the system
Identify all the safety functions allocated to the
software
Review all safety functions allocated to the
software and determine the Software Safety
Integrity Level
Produce the Software Requirements
Specification and the Software Architecture
Specification
Design, develop and verify/test the software
according to the Software Quality Assurance
Plan, Software Safety Integrity Level and the
Software Lifecycle
Perform the Software Validation and hand
over to system integrator
Operational life of the system
Software Maintenance
13183 Figure 1 – Illustrative Software Route Map

oSIST prEN 50126-5:2013
- 9 - prEN 50126-5:2012
13184 1 Scope
13185 This part of EN 50126
13186 • is intended to apply to all safety-related software aimed at electronic railway systems/sub-system.
13187 The relevant methods are provided by EN 50126-2. If analysis reveals that no safety requirements
13188 exist (i.e. the situation is non-safety-related), and provided the conclusion is not revised as a
13189 consequence of later changes, this part of EN 50126 ceases to be applicable;
13190 • specifies the process and technical requirements for the development of software for programmable
13191 electronic systems for use in railway monitoring, control and protection applications. These systems
13192 can be implemented using dedicated microprocessors, programmable logic controllers,
13193 multiprocessor distributed systems, larger scale central processor systems or other architectures.
13194 • is applicable exclusively to software and the interaction between software and the system/sub-
13195 system of which it is part.
13196 This European Standard
13197 • is primarily applicable to software which have been specifically designed and developed for railway
13198 applications. It should also be applied, as far as reasonably practicable, to general-purpose or
13199 industrial software which is procured for use as part of a safety-related railway system. As a
13200 minimum, evidence shall be provided in such cases to demonstrate:
13201 - either that the software is not relied on for safety,
13202 - or that the software can be relied on for those functions which relate to safety;
13203 • applies
13204 - to the specification, architecture, design, development, implementation, integration, installation,
13205 acceptance, deployment, operation, maintenance and modification/extension phases of the
13206 software in a system /subsystem. It also applies to individual sub-systems within the overall
13207 system as determined by the process in EN 50126-1 and supported by the methods in
13208 EN 50126-2,
13209 - to generic sub-systems (both application-independent and those intended for a particular class of
13210 application), and also to systems/sub-systems for specific applications;
13211 • does not define
13212 - RAMS targets, quantities, requirements or solutions for specific railway applications
13213 - rules or processes pertaining to the certification of railway products against the requirements of
13214 this European Standard
13215 - an approval process by the safety authority;
13216 • does not specify requirements for ensuring system security.
13217 This part EN 50126 is applicable
13218 • to the specification and demonstration of safety for all software in railway applications and at all
13219 levels of such an application, as appropriate, from complete railway systems to major systems and to
13220 individual and combined sub-systems within these major systems; in particular:
13221 - to new systems;
13222 - to new systems integrated into existing systems in operation prior to the creation of this European
13223 Standard, although it is not generally applicable to other aspects of the existing system;
13224 - for modifications of existing software on systems in operation prior to the creation of this
13225 European Standard, although it is not generally applicable to other aspects of the existing system.

oSIST prEN 50126-5:2013
13226 - at all relevant phases of the lifecycle of an application;
13227 - for use by railway duty holders, railway suppliers, assessors and safety authorities;
13228 • to all safety related software used in railway control and protection systems, including
13229 1. application programming,
13230 2. operating systems,
13231 3. support tools,
13232 4. firmware.
13233 Application programming comprises high level programming, low level programming and special purpose
13234 programming (for example: Programmable logic controller ladder logic).
13235 • not relevant for software that has been identified as having no impact on safety, i.e. software of
13236 which failures cannot affect any identified safety functions.
13237 This European Standard also addresses the use of pre-existing software and tools. Such software may
13238 be used, if the specific requirements in 7.6.4.12 and 8.3.4.1.6 on pre-existing software and for tools in 7.9
13239 are fulfilled.
13240 Existing systems compliant with any version of former EN 50126, EN 50128 or EN 50129 shall not be
13241 subject of reconsideration and are considered as compliant with this European Standard.
13242 Railway applications mean Command, Control & Signalling, Rolling Stock and Fixed Installations for
13243 Railways (e.g. Electric Power Supply).
13244 Application of EN 50126-5 builds on the results in applying the methods described by EN 50126-2.
13245 NOTE Guidance on the applicability is given in the requirements of this European Standard.
13246 2 Normative references
13247 The following documents, in whole or in part, are normatively referenced in this document and are
13248 indispensable for its application. For dated references, only the edition cited applies. For undated
13249 references, the latest edition of the referenced document (including any amendments) applies.
13250 EN 50126-1:1999 + corr. May. 2006 + corr. May. 2010, Railway applications – The specification and
13251 demonstration of Reliability, Availability, Maintainability and Safety (RAMS) – Part 1: Basic requirements
13252 and generic process
13253 EN 50129:2003 + corr. May. 2010, Railway applications – Communication, signalling and processing
13254 systems – Safety related electronic systems for signalling
13255 EN ISO 9000, Quality management systems – Fundamentals and vocabulary (ISO 9000)
13256 EN ISO 9001, Quality management systems – Requirements (ISO 9001)
13257 ISO/IEC 90003:2004, Software engineering – Guidelines for the application of ISO 9001:2000 to
13258 computer software
13259 ISO/IEC 9126 (all parts), Software engineering – Product quality

oSIST prEN 50126-5:2013
- 11 - prEN 50126-5:2012
13260 3 Terms and definitions
13261 For the purposes of this document, the terms and definitions given in EN 50126-1:1999 and the following
13262 apply.
13263 3.1
13264 independent assessment
13265 process of analysis to determine whether software, which may include process, documentation, system,
13266 subsystem hardware and/or software components, meets the specified requirements and to form a
13267 judgement as to whether the software is fit for its intended purpose. Safety assessment is an independent
13268 assessment focused on but not limited to the safety properties of a system
13269 3.2
13270 component
13271 constituent part of software, which has well-defined interfaces and behaviour with respect to the software
13272 architecture and design and fulfils the following criteria:
13273 – it is designed according to “Components” (see Table A.20);
13274 – it covers a specific subset of software requirements;
13275 – it is clearly identified and has an independent version inside the configuration management system
13276 or is a part of a collection of components (e. g. subsystems) which have an independent version
13277 3.3
13278 configuration manager
13279 entity that is responsible for implementing and carrying out the processes for the configuration
13280 management of documents, software and related tools including change management
13281 3.4
13282 customer
13283 entity which purchases a railway control and protection system including the software
13284 3.5
13285 programmable logic controller
13286 solid-state control system which has a user programmable memory for storage of instructions to
13287 implement specific functions
13288 3.6
13289 robustness
13290 ability of an item to detect and handle abnormal situations
13291 3.7
13292 supplier
13293 entity that designs and builds a railway control and protection system including the software or parts
13294 thereof
13295 3.8
13296 system safety integrity level
13297 classification number which indicates the required degree of confidence that an integrated system
13298 comprising hardware and software will meet its specified safety requirements
13299 4 Abbreviations
13300 For the purposes of this document, the abbreviations given in EN 50126-1:1999 and below apply.
13301 ASR Assessor
13302 COTS Commercial off-the-shelf
13303 DES Designer
13304 HR Highly Recommended
13305 IMP Implementer
13306 INT Integrator
oSIST prEN 50126-5:2013
13307 JSD Jackson System Development Method
13308 M Mandatory
13309 MASCOT Modular Approach to Software Construction, Operation and Test
13310 MBSA Model Based Safety Assessment/Assurance
13311 NR Not Recommended
13312 PM Project Manager
13313 R Recommended
13314 RQM Requirements Manager
13315 SDL Specification and Description Language
13316 SFC Sequential Function Charts
13317 SOM Service Oriented Modelling
13318 SSADM Structured Systems Analysis & Design Methodology
13319 TST Tester
13320 V&V Verification and Validation
13321 VAL Validator
13322 VER Verifier
13323 5 Overall framework of EN 50126-5
13324 This part of the EN 50126 suite of European Standards addresses the application of the safety life cycle
13325 to the development of software for incorporation in electronic hardware and integrated systems
13326 comprising electrical, electronic and programmable electronic hardware. The principal purpose of this
13327 suite of European Standards is to support the design, development, production and operation of
13328 acceptably safe products, systems and processes aimed at railway applications. In this spirit, the
13329 approval, acceptance or certification constitute a secondary potential benefit arising from compliance with
13330 this suite of European Standards. EN 50126-4 and EN 50126-5 of the European Standard suite address
13331 technology specific safety requirements and are complementary to the requirements and the framework
13332 developed in EN 50126-1 and EN 50126-2 which shall also be complied with. This European Standard
13333 addresses the management, organisation and overall assurance of software aimed at electronic systems
13334 including the safety requirements applicable to generic and algorithmic software.
13335 The overall scope of this European Standard includes software developed for incorporation in electronic
13336 and programmable electronic hardware systems with fixed or configurable logic.
13337 Apart from software, this European Standard places requirements for management, organisation and the
13338 competency of the people who assume various roles in the safety life cycle of software. This is in
13339 recognition of the major impact of the organisational and competency aspects on the overall reduction of
13340 the systematic errors which are otherwise likely to remain embedded in the design and production of
13341 software.
13342 The overall structure of this European Standard addresses key safety life cycle requirements in the
13343 design, development, deployment and maintenance of software for electronic and programmable
13344 electronic systems. Where appropriate, the structure in this European Standard is aligned with the
13345 hardware and system standard in EN 50126-4 to provide a familiar and systematic approach across the
13346 related disciplines.
13347 Clauses 6 and 7 of this European Standard set out the common requirements for life cycle phases
13348 defined in Clauses 8-10. These clauses are structured to state the objectives, inputs, requirements and
13349 the outputs pertinent to each phase of the life-cycle.
13350 Clause 6 sets out the generic management and organisational requirements, pertinent to software for
13351 electronic systems, addressing documentation, roles, requisite competencies, responsibilities of key
13352 personnel and the required independence between the roles.

oSIST prEN 50126-5:2013
- 13 - prEN 50126-5:2012
13353 Clause 7 sets out the generic software assurance requirements addressing quality management, safety
13354 management, configuration and change management and support tools.
13355 Clause 8 sets out the requirements for the development of generic software addressing architecture,
13356 design, implementation, integration, installation and commissioning and validation. It additionally provides
13357 requirements and guidelines for development of Software Safety Cases.
13358 Clause 9 sets out the requirements for the development of software systems configured by application
13359 data or algorithm addressing architecture, design, implementation, integration, testing, installation and
13360 commissioning and validation. Many of the requirements of the generic software are equally applicable to
13361 configurable variants.
13362 Clause 10 sets out the requirements for a systematic approach to the safe deployment, operation and
13363 maintenance of safety related software in railways. It details the requisite processes that have to be
13364 implemented to ensure safe software is safely put into use and safely maintained throughout its
13365 operational life.
13366 The annexes to this European Standard provide normative and informative requirements and guidance
13367 considered supplementary to the main sections of this European Standard. These comprise guidance on
13368 selection of techniques and measures, key safety roles and competencies for development of software,
13369 multi-core programming, guidance on the structure of Software Safety Cases and an updated generic
13370 bibliography of the software and system design and development techniques.
13371 6 Software Management and Organisation
13372 6.1 Organisation, Roles and Responsibilities
13373 6.1.1 Objective
13374 6.1.1.1 To ensure that all personnel who have responsibilities for the software are organised,
13375 empowered and capable of fulfilling their responsibilities.
13376 6.1.2 Requirements
13377 6.1.2.1 As a minimum, the supplier shall implement EN ISO 9001, Clauses 4 and 5, dealing with the
13378 organisation and management of the personnel and responsibilities.
13379 6.1.2.2 Responsibilities shall be compliant with the requirements defined in Annex B and assessed.
13380 6.1.2.3 The personnel assigned to the roles involved in the development or maintenance of the software
13381 shall be recorded in the Quality Managenent Report or in another document referenced by the Quality
13382 Managenent Report.
13383 6.1.2.4 An Assessor shall be appointed by the supplier, the customer or the Safety Authority.
13384 6.1.2.5 The assessor may be part or not of the supplier organization, but shall be in any case
13385 independent from the project organizations (Design, Testing, Integration, Safety, Verification and
13386 Validation). National legislation / Safety Authority may ask for additional independence requirements.
13387 NOTE The independent assessment body may be identified by national legislation.
13388 6.1.2.6 The Assessor shall be given authority to perform the independent assessment of the software.
13389 6.1.2.7 The Validator shall give agreement/disagreement for the software release.
13390 6.1.2.8 Throughout the software lifecycle, the parties involved shall be independent, in accordance with
13391 6.1.2.9 to 6.1.2.13, to the extent required by software SIL.

oSIST prEN 50126-5:2013
ASR
PM
SIL 3 & SIL 4
RQM, DES, IMP
INT, TST VER VAL
PM ASR
SIL1 & SIL  2
RQM, DES, IMP INT, TST VER, VAL
PM
ASR
SIL 0
RQM, DES, IMP
INT, TST, VER, VAL
Key
can be the same person
can be the same organization
shall report to the Project Manager
can report to the Project Manager
shall not report to the Project Manager
PM   Project Manager ASR Assessor
Integrator
INT
RQM Requirements Manager
TST
Tester
DES  Designer
VER Verifier
IMP  Implementer Validator
VAL
NOTE  For the role of the Configuration Manager, see Table B.10, there are no
independence requirements
For the role Safety Manager the legal requirements on the independences have to be
considered.
13393 NOTE Figure 2 is only illustrative for the preferred organisational structure.
13394 Figure 2 – Illustration of the preferred organisational structure

oSIST prEN 50126-5:2013
- 15 - prEN 50126-5:2012
13395 6.1.2.9 The preferred organisational structure for SIL 3 and SIL 4 is described in 6.1.2.9.1 to 6.1.2.9.2:
13396 6.1.2.9.1 The persons involved can belong to the same organisation and have several roles, with the
13397 following exceptions:
13398 a) Requirements Manager, Designer and Implementer for a software component can be the same
13399 person.
13400 b) Integrator and Tester for a software component can be the same person.
13401 c) A person who is Project Manager can additionally perform the roles of Requirements Manager,
13402 Designer, Implementer, Integrator, Tester or Verifier providing that the requirements for the
13403 independence between these additional roles are respected.
13404 d) A person who is Requirements Manager, Designer or Implementer for a software component shall
13405 neither be Tester nor Integrator for the same software component.
13406 e) A person who is Verifier shall neither be Requirements Manager, Designer, Implementer, Integrator,
13407 Tester nor Validator.
13408 f) A person who is Validator shall neither be Project Manager, Requirements Manager, Designer,
13409 Implementer, Integrator, Tester nor Verifier.
13410 g) The assessor shall be independent and organisationally independent from the roles of Project
13411 Manager, Requirements Manager, Designer, Implementer, Integrator, Tester, Verifier and Validator.
13412 However, the following options may apply:
13413 h) A person who is Validator may also perform the role of Verifier, but still maintaining independence
13414 from the Project Manager. In this case the Verifier’s output documents shall be reviewed by another
13415 competent person with the same level of independence as the Validator. This organisational option
13416 shall be subject to Assessor’s approval.
13417 i) A person who is Verifier may also perform the role of Integrator and Tester, in which case the role of
13418 Validator shall check the adequacy of the documented evidence from integration and testing with the
13419 specified verification objectives, hence maintaining two levels of checking within the project
13420 organisation.
13421 6.1.2.9.2 All roles shall report to the Project Manager, with t
...