IEC 62425:2007

IEC 62425
Edition 1.0 2007-09
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Railway applications – Communication, signalling and processing systems –
Safety related electronic systems for signalling

Applications ferroviaires – Systèmes de signalisation, de télécommunications et
de traitement – Systèmes électroniques de sécurité pour la signalisation

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.
ƒ Catalogue des publications de la CEI: www.iec.ch/searchpub/cur_fut-f.htm
Le Catalogue en-ligne de la CEI vous permet d’effectuer des recherches en utilisant différents critères (numéro de référence,
texte, comité d’études,…). Il donne aussi des informations sur les projets et les publications retirées ou remplacées.
ƒ Just Published CEI: www.iec.ch/online_news/justpub
Restez informé sur les nouvelles publications de la CEI. Just Published détaille deux fois par mois les nouvelles
publications parues. Disponible en-ligne et aussi par email.
ƒ Electropedia: www.electropedia.org
Le premier dictionnaire en ligne au monde de termes électroniques et électriques. Il contient plus de 20 000 termes et
définitions en anglais et en français, ainsi que les termes équivalents dans les langues additionnelles. Egalement appelé
Vocabulaire Electrotechnique International en ligne.
ƒ Service Clients: www.iec.ch/webstore/custserv/custserv_entry-f.htm
Si vous désirez nous donner des commentaires sur cette publication ou si vous avez des questions, visitez le FAQ du
Service clients ou contactez-nous:
Email: csc@iec.ch
Tél.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC 62425
Edition 1.0 2007-09
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Railway applications – Communication, signalling and processing systems –
Safety related electronic systems for signalling

Applications ferroviaires – Systèmes de signalisation, de télécommunications et
de traitement – Systèmes électroniques de sécurité pour la signalisation

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
XD
CODE PRIX
ICS 45.060 ISBN 2-8318-9310-0
– 2 – 62425 © IEC:2007
CONTENTS
FOREWORD.5
INTRODUCTION.7

1 Scope.8
2 Normative references.9
3 Terms, definitions and abbreviations .10
3.1 Definitions .10
3.2 Abbreviations.15
4 Overall framework of this standard.16
5 Conditions for safety acceptance and approval.17
5.1 The safety case .17
5.2 Evidence of quality management.19
5.3 Evidence of safety management .21
5.3.1 Introduction .21
5.3.2 Safety life-cycle .22
5.3.3 Safety organisation .23
5.3.4 Safety plan .24
5.3.5 Hazard log .25
5.3.6 Safety requirements specification.25
5.3.7 System/sub-system/equipment design.25
5.3.8 Safety reviews .25
5.3.9 Safety verification and validation .25
5.3.10 Safety justification.26
5.3.11 System/sub-system/equipment handover.26
5.3.12 Operation and maintenance .26
5.3.13 Decommissioning and disposal .26
5.4 Evidence of functional and technical safety .26
5.5 Safety acceptance and approval .29
5.5.1 Introduction .29
5.5.2 Safety approval process.30
5.5.3 After safety approval.32
5.5.4 Dependency between safety approvals.32

Annex A (normative) Safety integrity levels .33
Annex B (normative) Detailed technical requirements .47
Annex C (normative) Identification of hardware component failure modes .62
Annex D (informative) Supplementary technical information.79
Annex E (informative) Techniques and measures for safety-related electronic systems
for signalling for the avoidance of systematic faults and the control of random and
systematic faults .86

Bibliography .95

Figure 1 – Scope of the main IEC railway application standards.9
Figure 2 – Structure of IEC 62425 .17

62425 © IEC:2007 – 3 –
Figure 3 – Structure of safety case .19
Figure 4 – Example of system life-cycle (from IEC 62278) .21
Figure 5 – Example of design and validation portion of system life-cycle .23
Figure 6 – Arrangements for independence .24
Figure 7 – Structure of technical safety report.29
Figure 8 – Typical safety acceptance and approval process .31
Figure 9 – Examples of dependencies between safety cases/safety approval .32
Figure A.1 – Safety requirements and safety integrity .34
Figure A.2 – Global process overview.36
Figure A.3 – Example risk analysis process .37
Figure A.4 – Definition of hazards with respect to the system boundary.38
Figure A.5 – Example hazard control process .40
Figure A.6 – Interpretation of failure and repair times .41
Figure A.7 – Treatment of functional independence by FTA .42
Figure A.8 – Relationship between SILs and techniques .45
Figure B.1 – Influences affecting the independence of items.52
Figure B.2 – Detection and negation of single faults.55
Figure C.1 – Example of a 4-terminal resistor, using a hybrid thick layer technique .65
Figure D.1 – Example of a fault analysis method .83

Table A.1 – SIL-table .45
Table C.1 – Resistors.68
Table C.2 – Capacitors.69
Table C.3 – Electromagnetic components.69
Table C.4 – Diodes .71
Table C.5 – Transistors.72
Table C.6 – Controlled rectifiers .73
Table C.7 – Surge suppressors .74
Table C.8 – Opto-electronic components .75
Table C.9 – Filters.76
Table C.10 – Interconnection assemblies .76
Table C.11 – Fuses.77
Table C.12 – Switches and push/pull buttons.77
Table C.13 – Lamps .77
Table C.14 – Batteries.78
Table C.15 – Transducers/sensors (not including those with internal electronic circuitry).78
Table C.16 – Integrated circuits.78
Table D.1 – Examples of measures to detect faults in large-scale integrated circuits by
means of periodic on-line testing, with comparison (SW or HW), in a 2-out-of-n system .
Table E.1 – Safety planning and quality assurance activities (referred to in 5.2 and
5.3.4) .88
Table E.2 – System requirements specification (referred to in 5.3.6) .88
Table E.3 – Safety organisation (referred to in 5.3.3) .89
Table E.4 – Architecture of system/sub-system/equipment (referred to in 5.4).89

– 4 – 62425 © IEC:2007
Table E.5 – Design features (referred to in 5.4) .90
Table E.6 – Failure and hazard analysis methods (referred to in 5.4) .91
Table E.7 – Design and development of system/sub-system/equipment (referred to in
5.3.7) .91
Table E.8 – Design phase documentation (referred to in 5.2) .92
Table E.9 – Verification and validation of the system and product design (referred to in
5.3.9) .93
Table E.10 – Application, operation and maintenance (referred to in 5.3.12 and 5.4) .94

62425 © IEC:2007 – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
RAILWAY APPLICATIONS –
COMMUNICATION, SIGNALLING AND PROCESSING SYSTEMS –
SAFETY RELATED ELECTRONIC SYSTEMS FOR SIGNALLING

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62425 has been prepared by IEC technical committee 9: Electrical
equipment and systems for railways.
It was submitted to the National Committees for voting under the Fast Track Procedure as the
following documents:
FDIS Report on voting
9/1057/FDIS 9/1087/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This document is based on EN 50129.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.

– 6 – 62425 © IEC:2007
The committee has decided that the contents of this publication will remain unchanged until the
maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
62425 © IEC:2007 – 7 –
INTRODUCTION
This standard is the first International Standard defining requirements for the acceptance and
approval of safety-related electronic systems in the railway signalling field. This standard is
derived from the European Standard EN 50129.
Safety-related electronic systems for signalling include hardware and software aspects. To
install complete safety-related systems, both parts within the whole life-cycle of the system
have to be taken into account. The requirements for safety-related hardware and for the overall
system are defined in this standard. Other requirements are defined in associated IEC
standards.
This standard is the common base for safety acceptance and approval of electronic systems
for railway signalling applications. The aim of railway authorities and railway industry is to
develop railway systems based on common standards. The safety authorities having
jurisdiction can apply this standard to the relevant matters they choose. On this basis, cross-
acceptance of safety approvals for sub-systems and equipment can be applied by the different
national safety authorities. Cross-acceptance is applicable to generic approval, not to specific
applications.
The standard consists of the main part (Clause 1 to Clause 5) and Annexes A, B, C, D and E.
The requirements defined in the main part of the standard and in Annexes A, B and C are
normative, whilst Annexes D and E are informative.
This standard is in line with, and uses relevant sections of IEC 62278: "Railway applications –
Specification and demonstration of reliability, availability, maintainability and safety (RAMS)".
This standard and IEC 62278 are based on the system life-cycle and are in line with
IEC 61508-1, which is replaced by the set of IEC 62278/ IEC 62279/ IEC 62425, as far as
railway communication, signalling and processing systems are involved. Meeting the
requirements in these standards is sufficient to ensure that further compliance to IEC 61508-1
need not be evaluated.
Because this standard is concerned with the evidence to be presented for the acceptance of
safety-related systems, it specifies those life-cycle activities which shall be completed before
the acceptance stage, followed by additional planned activities to be carried out after the
acceptance stage. Safety justification for the whole of the life-cycle is therefore required.
This standard is concerned with what evidence is to be presented. Except where considered
appropriate, it does not specify who should carry out the necessary work, since this may vary in
different circumstances.
For safety-related systems which include programmable electronics, additional conditions for
the software are defined in IEC 62279.
Additional requirements for safety-related data communication are defined in IEC 62280-1 and
IEC 62280-2.
– 8 – 62425 © IEC:2007
RAILWAY APPLICATIONS –
COMMUNICATION, SIGNALLING AND PROCESSING SYSTEMS –
SAFETY RELATED ELECTRONIC SYSTEMS FOR SIGNALLING

1 Scope
This International Standard is applicable to safety-related electronic systems (including sub-
systems and equipment) for railway signalling applications.
The scope of this standard, and its relationship with other IEC standards, are shown in
Figure 1.
This standard is intended to apply to all safety-related railway signalling systems/sub-
system/equipment. However, the hazard analysis and risk assessment processes defined in
IEC 62278 and this standard are necessary for all railway signalling systems/sub-
systems/equipment, in order to identify any safety requirements. If analysis reveals that no
safety requirements exist (i.e.: that the situation is non-safety-related), and provided the
conclusion is not revised as a consequence of later changes, this safety standard ceases to be
applicable.
This standard applies to the specification, design, construction, installation, acceptance,
operation, maintenance and modification/extension phases of complete signalling systems, and
also to individual sub-systems and equipment within the complete system. Annex C includes
procedures relating to electronic hardware components.
This standard applies to generic sub-systems and equipment (both application-independent
and those intended for a particular class of application), and also to systems/sub-
systems/equipment for specific applications.
This standard is not applicable to existing systems/sub-systems/equipment (i.e. those which
had already been accepted prior to the creation of this standard). However, as far as
reasonably practicable, this standard should be applied to modifications and extensions to
existing systems, sub-systems and equipment.
This standard is primarily applicable to systems/sub-systems/equipment which have been
specifically designed and manufactured for railway signalling applications. It should also be
applied, as far as reasonably practicable, to general-purpose or industrial equipment (e.g.:
power supplies, modems, etc.), which is procured for use as part of a safety-related signalling
system. As a minimum, evidence shall be provided in such cases to demonstrate
– either that the equipment is not relied on for safety,
– or that the equipment can be relied on for those functions which relate to safety.
This standard is applicable to the functional safety of railway signalling systems. It is not
intended to deal with the occupational health and safety of personnel; this subject is covered by
other standards.
62425 © IEC:2007 – 9 –
Total railway
system
Complete railway
signaling system
IEC 62278
(RAMS)
IEC 62279
IEC 62280-1
(Software)
et IEC 62280-2
IEC 62425
(Communication)
Individual
(System safety)
sub-system
Individual intem
of equipment
IEC  1726/07
Figure 1 – Scope of the main IEC railway application standards

2 Normative references
The following referenced documents are indispensable for the application of this document. For
dated references, only the edition cited applies. For undated references, the latest edition of
the referenced document (including any amendments) applies.
NOTE 1 Additional informative references are included in the Bibliography.
IEC 60664 (all parts), Insulation coordination for equipment within low-voltage systems
IEC 61508-1, Functional safety of electrical/electronic/ programmable electronic safety-related
systems – Part 1: General requirements
IEC 62236 (all parts), Railway applications – Electromagnetic compatibility
IEC 62236-4, Railway applications – Electromagnetic compatibility – Part 4: Emission and
immunity of the signalling and telecommunications apparatus
IEC 62278, Railway applications – The specification and demonstration of reliability,
availability, maintainability and safety (RAMS)
IEC 62279, Railway applications – Communications, signalling and processing systems –
Software for railway control and protection systems
IEC 62280-1, Railway applications – Communication, signalling and processing systems –
Part 1: Safety-related communication in closed transmission systems
IEC 62280-2, Railway applications – Communication, signalling and processing systems –
Part 2: Safety-related communication in open transmission systems

– 10 – 62425 © IEC:2007
EN 50124-1, Railway applications – Insulation coordination – Part 1: Basic requirements –
Clearances and creepage distances for all electrical and electronic equipment
EN 50125-1, Railway applications – Environmental conditions for equipment – Part 1:
Equipment on board rolling stock
EN 50125-3, Railway applications – Environmental conditions for equipment – Part 3:
Equipment for signalling and telecommunications
EN 50155, Railway applications – Electronic equipment used on rolling stock
NOTE 2 EN 50124 (series), EN 50125 (series) and EN 50155 will be converted to IEC standards according to
the merging strategy between IEC TC9 and CENELEC TC9X.
3 Terms, definitions and abbreviations
For the purposes of this document, the following terms, definitions and abbreviations apply.
3.1 Definitions
3.1.1
accident
an unintended event or series of events that results in death, injury, loss of a system or
service, or environmental damage
3.1.2
assessment
the process of analysis to determine whether the design authority and the validator have
achieved a product that meets the specified requirements and to form a judgement as to
whether the product is fit for its intended purpose
3.1.3
authorisation
the formal permission to use a product within specified application constraints
3.1.4
availability
the ability of a product to be in a state to perform a required function under given conditions at
a given instant of time or over a given time interval assuming that the required external
resources are provided
3.1.5
causal analysis
analysis of the reasons how and why a particular hazard may come into existence
3.1.6
common-cause failure
failure common to items which are intended to be independent
3.1.7
consequence analysis
analysis of events which are likely to happen after a hazard has occurred
3.1.8
configuration
the structuring and interconnection of the hardware and software of a system for its intended
application
62425 © IEC:2007 – 11 –
3.1.9
cross-acceptance
the status achieved by a product that has been accepted by one authority to the relevant
standards and is acceptable to other authorities without the necessity for further assessment
3.1.10
design
the activity applied in order to analyse and transform specified requirements into acceptable
design solutions which have the required safety integrity
3.1.11
design authority
the body responsible for the formulation of a design solution to fulfil the specified requirements
and for overseeing the subsequent development and setting-to-work of a system in its intended
environment
3.1.12
diversity
a means of achieving all or part of the specified requirements in more than one independent
and dissimilar manner
3.1.13
equipment
a functional physical item
3.1.14
error
a deviation from the intended design which could result in unintended system behaviour or
failure
3.1.15
fail-safe
a concept which is incorporated into the design of a product such that, in the event of a failure,
it enters or remains in a safe state
3.1.16
failure
a deviation from the specified performance of a system
NOTE A failure is the consequence of a fault or error in the system.
3.1.17
fault
an abnormal condition that could lead to an error in a system
NOTE A fault can be random or systematic.
3.1.18
fault detection time
time span which begins at the instant when a fault occurs and ends when the existence of the
fault is detected
3.1.19
function
a mode of action or activity by which a product fulfils its purpose
3.1.20
hazard
a condition that could lead to an accident

– 12 – 62425 © IEC:2007
3.1.21
hazard analysis
the process of identifying hazards and analysing their causes, and the derivation of
requirements to limit the likelihood and consequences of hazards to a tolerable level
3.1.22
hazard log
the document in which all safety management activities, hazards identified, decisions made
and solutions adopted, are recorded or referenced
3.1.23
human error
a human action (mistake), which can result in unintended system behaviour/failure
3.1.24
implementation
the activity applied in order to transform the specified designs into their physical realisation
3.1.25
independence (functional)
freedom from any mechanism which can affect the correct operation of more than one function
as a result of either systematic or random failure
3.1.26
independence (human)
freedom from involvement in the same intellectual, commercial and/or management entity
3.1.27
independence (physical)
freedom from any mechanism which can affect the correct operation of more than one
system/sub-system/equipment as a result of random failures
3.1.28
individual risk
a risk which is related to a single individual only
3.1.29
maintainability
the probability that a given active maintenance action, for an item under given conditions of use
can be carried out within a stated time interval when the maintenance is performed under
stated conditions and using stated procedures and resources
3.1.30
maintenance
the combination of all technical and administrative actions, including supervision actions,
intended to retain an item in, or restore it to, a state in which it can perform its required
function
3.1.31
negation
enforcement of a safe state following detection of a hazardous fault
3.1.32
negation time
time span which begins when the existence of a fault is detected and ends when a safe state is
enforced
62425 © IEC:2007 – 13 –
3.1.33
product
a collection of elements, interconnected to form a system/sub-system/equipment, in a manner
which meets the specified requirements
3.1.34
quality
a user perception of the attributes of a product
3.1.35
railway authority
the body with the overall accountability to a safety authority for operating a safe railway system
3.1.36
random failure integrity
the degree to which a system is free from hazardous random faults
3.1.37
random fault
unpredictable occurrence of a fault
3.1.38
redundancy
the provision of one or more additional measures, usually identical, to provide fault tolerance
3.1.39
reliability
the ability of an item to perform a required function under given conditions for a given period of
time
3.1.40
repair
measures for re-establishing the required state of a system/sub-system/equipment after a
fault/failure
3.1.41
risk
the combination of the frequency, or probability, and the consequence of a specified hazardous
event
3.1.42
safe state
a condition which continues to preserve safety
3.1.43
safety
freedom from unacceptable levels of risk of harm
3.1.44
safety acceptance
the safety status given to a product by the final user
3.1.45
safety approval
the safety status given to a product by the requisite authority when the product has fulfilled a
set of pre-determined conditions

– 14 – 62425 © IEC:2007
3.1.46
safety authority
the body responsible for delivering the authorisation for the operation of the safety related
system
3.1.47
safety case
the documented demonstration that the product complies with the specified safety
requirements
3.1.48
safety integrity
the ability of a safety-related system to achieve its required safety functions under all the stated
conditions within a stated operational environment and within a stated period of time
3.1.49
safety integrity level
a number which indicates the required degree of confidence that a system will meet its
specified safety functions with respect to systematic failures
3.1.50
safety life-cycle
the additional series of activities carried out in conjunction with the system life-cycle for safety-
related systems
3.1.51
safety management
the management structure which ensures that the safety process is properly implemented
3.1.52
safety plan
the implementation details of how the safety requirements of the project will be achieved
3.1.53
safety process
the series of procedures that are followed to enable all safety requirements of a product to be
identified and met
3.1.54
safety-related
carries responsibility for safety
3.1.55
signalling system
particular kind of system used on a railway to control and protect the operation of trains
3.1.56
stress profile
the degree and number of external influences which a product can withstand whilst performing
its required functionality
3.1.57
sub-system
a portion of a system which fulfils a specialised function

62425 © IEC:2007 – 15 –
3.1.58
system
a set of sub-systems which interact according to a design
3.1.59
systematic failure integrity
the degree to which a system is free from unidentified hazardous errors and the causes thereof
3.1.60
systematic fault
an inherent fault in the specification, design, construction, installation, operation or
maintenance of a system, sub-system or equipment
3.1.61
system life-cycle
the series of activities occurring during a period of time that starts when a system is conceived
and ends at decommissioning when the system is no longer available for use
3.1.62
technical safety report
documented technical evidence for the safety of the design of a system/sub-system/equipment
3.1.63
validation
the activity applied in order to demonstrate, by test and analysis, that the product meets in all
respects its specified requirements
3.1.64
verification
the activity of determination, by analysis and test, at each phase of the life-cycle, that the
requirements of the phase under consideration meet the output of the previous phase and that
the output of the phase under consideration fulfils its requirements
3.2 Abbreviations
ATP automatic train protection
CENELEC European committee for electrotechnical standardisation
CCF common-cause failure
DC direct current
EMC electromagnetic compatibility
EMI electromagnetic interference
EN European standard
ESD electrostatic discharge
FMEA failure modes and effects analysis
FR failure rate
FTA fault tree analysis
H  hazard
HW hardware
IEC International electrotechnical commission
IRSE Institution of railway signal engineers
ISO International standards organisation
RAMS reliability, availability, maintainability and safety

– 16 – 62425 © IEC:2007
SDR safe down rate
SDT safe down time
SIL safety integrity level
SW software
THR tolerable hazard rate
UIC International union of railways
4 Overall framework of this standard
Clause 5 of this International Standard requires that a systematic, documented approach be
taken to
– evidence of quality management,
– evidence of safety management,
– evidence of functional and technical safety,
– safety acceptance and approval.
Annex A (normative) defines the interpretation and use of safety integrity levels.
Annex B (normative) contains detailed technical requirements for safety-related systems/sub-
systems/equipment.
Annex C (normative) contains procedures and information for identifying the credible failure
modes of hardware components.
Annex D (informative) contains supplementary technical information.
Annex E (informative) contains tables of techniques/measures to be used for various levels of
safety integrity.
The bibliography contains references to documents that have been consulted during the
preparation of this standard.
The structure of this standard is summarised in Figure 2.

62425 © IEC:2007 – 17 –
IEC 62425
Clause 1 Clause 2 Clause 3 Clause 4 Clause 5
5.1 5.2 5.3 5.4 5.5
Normative
Annex A Annex B
B.1 B.2 B.3 B.4 B.5 B.6
Annex C
Bibliography Annex D Annex E
Informative
IEC  1727/07
Figure 2 – Structure of IEC 62425

5 Conditions for safety acceptance and approval
5.1 The safety case
This standard defines the conditions that shall be satisfied in order for a safety-related
electronic railway system/sub-system/equipment to be accepted as adequately safe for its
intended application.
The conditions for safety acceptance are presented in this standard under three subclauses,
namely
5.2 Evidence of quality management
5.3 Evidence of safety management
5.4 Evidence of functional and technical safety
All of these conditions shall be satisfied, at equipment, sub-system and system levels, before
the safety-related system can be accepted as adequately safe.
The documentary evidence that these conditions have been satisfied shall be included in a
structured safety justification document, known as the safety case. The safety case forms part
of the overall documentary evidence to be submitted to the relevant safety authority in order to
obtain safety approval for a generic product, a class of application or a specific application. For
an explanation of the safety approval process, see 5.5.

– 18 – 62425 © IEC:2007
The safety case contains the documented safety evidence for the system/sub-system/
equipment, and shall be structured as follows:
− Part 1 Definition of system (or sub-system/equipment)
This shall precisely define or reference the system/sub-system/equipment to which the safety
case refers, including version numbers and modification status of all requirements, design and
application documentation.
− Part 2 Quality management report
This shall contain the evidence of quality management, as specified in 5.2.
− Part 3 Safety management report
This shall contain the evidence of safety management, as specified in 5.3.
− Part 4 Technical safety report
This shall contain the evidence of functional and technical safety, as specified in 5.4.
− Part 5 Related safety cases
This shall contain references to the safety cases of any sub-systems or equipment on which
the main safety case depends.
It shall also demonstrate that all the safety-related application conditions specified in each of
the related sub-system/equipment safety cases are
• either fulfilled in the main safety case,
• or carried forward into the safety-related application conditions of the main safety case.

− Part 6 Conclusion
This shall summarise the evidence presented in the previous parts of the safety case, and
argue that the relevant system/sub-system/equipment is adequately safe, subject to
compliance with the specified application conditions.
The structure of the safety case is illustrated in Figure 3.
Large volumes of detailed evidence and supporting documentation need not be included in the
safety case and in its parts, provided precise references are given to such documents and
provided the base concepts used and the approaches taken are clearly specified.

62425 © IEC:2007 – 19 –
Part 6: Conclusion
Part 5: Related
safety
cases
Part 4: Technical
safety
report
Part 3: Safety
management report
Part 2: Quality
management report
Part 1: Definition of system
SAFETY
CASE
IEC  1728/07
Figure 3 – Structure of safety case
5.2 Evidence of quality management
The first condition for safety acceptance that shall be satisfied is that the quality of the system,
sub-system or equipment has been, and shall continue to be, controlled by an effective quality
management system throughout its life-cycle. Documentary evidence to demonstrate this shall
be provided in the quality management report, which forms Part 2 of the safety case.
The purpose of the quality management system is to minimise the incidence of human errors at
each stage in the life-cycle, and thus to reduce the risk of systematic faults in the system, sub-
system or equipment.
The quality management system shall be applicable throughout the system/sub-system/
equipment life-cycle, as defined in IEC 62278. An example of a system life-cycle diagram (from
IEC 62278) is reproduced as Figure 4.
NOTE Examples of aspects which should be controlled by the quality management system and included in the
quality management report:
– organisational structure;
– quality planning and procedures;
– specification of requirements;
– design control;
– design verification and reviews;

–
...