EN 50128 / 50657
The software safety standard EN 50128 originates from the European Committee for Electrotechnical Standardisation, or CENELEC. Its full title is ‘Railway applications. Communications, signalling and processing systems. Software for railway control and protection systems’. The International published version of the CENELEC EN 50128 standard is IEC 62279. The content of both publications is identical
The standard requires that all systems with safety implications and which contain software should be assigned a Software Integrity Level (SIL), ranging from a value of 0 to 4. The standard then details in a number of ‘normative’ and ‘informative’ ways, the software development activities appropriate to each SIL which should be carried out, and evidence for the completion of which should be generated.
The standard EN 50657:2017 specifies the process and technical requirements for the development of software for programmable electronic systems for use in rolling stock applications. The standard adapts EN 50128:2011 for the application in the Rolling Stock domain, but is shares a lot in common including the definition of the Software Integrity Levels (SIL).

Testing tools for compliance with EN 50128 / 50657 recommendations
QA Systems enables organisations to accelerate EN 50128 / 50657 compliance with automated static analysis and software testing tools:
STATIC ANALYSIS
INTEGRATED STATIC ANALYSIS
Automated analysis synchronised with Cantata
CANTATA TEST ARCHITECT
Understand, define and control software architecture
SOURCE CODE METRICS
Automated source code metrics for C/C++
SOFTWARE TESTING
CANTATA
Automated unit and integration testing for C/C++ code
CANTATA TEAM REPORTING
Test status management dashboard add-on
ADATEST 95
Automated unit and integration testing for Ada code
Tool Certification
EN 50128 and 50657 (section 6.1.4.2) states that tools, hardware or software, used for testing shall be shown to be suitable for the purpose. Cantata testing tool has been classified and certified by SGS-TÜV GmbH, an independent third party certification body for functional safety, accredited by Deutsche Akkreditierungsstelle GmbH (DAkkS). Cantata has been classified as a class T2 tool, and is usable in development of safety related software according to EN 50128:2011 and 50657:2017 up to Software Safety Integrity Level (SW-SIL) 4.
The tool certification kits for EN 50128 and 50657 are available to ease our customers’ path to certification. This contains everything needed to prove that Cantata fulfills EN 50128 / 50657 recommendations as well as guidance to help you to achieve compliance.
Please contact us for more information about the tool certification kit.
Software testing for EN 50128 / 50657 compliance
EN 50128 / 50657 recommends unit and integration testing. Cantata enables developers to verify EN 50128 / 50657 compliant C and C++ code on host native and embedded target platforms.
Cantata helps accelerate compliance with the standard’s software testing requirements by automating:
Our EN 50128 / 50657 Standard Briefings trace the requirements of EN 50128 / 50657, identifying the scope of those which are supported by Cantata and identifies how the requirements are supported by Cantata.
Please contact us for more information on Cantata for EN 50128 / 50657.
The EN 50128 / 50657 software testing recommendations by SIL and where these are supported by Cantata are summarised in the tables below:

EN 50128 / 50657 Table A. 5 Verification and Testing
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
---|---|---|---|---|---|---|
2. Static Analysis | – | HR | HR | HR | HR | Yes |
3. Dynamic Analysis and Testing | – | HR | HR | HR | HR | Yes |
4. Metrics | – | R | R | R | R | Yes |
5. Traceability | R | HR | HR | M | M | Yes |
6. Software Error Effect Analysis | – | R | R | HR | HR | Yes |
7. Test Coverage for code | R | HR | HR | HR | HR | Yes |
8. Functional/ Black-box Testing | HR | HR | HR | M | M | Yes |
9. Performance Testing | – | HR | HR | HR | HR | Yes |
10. Interface Testing | HR | HR | HR | HR | HR | Yes |
EN 50128 / 50657 Table A. 6 – Integration
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
---|---|---|---|---|---|---|
1. Functional and Black-box Testing | HR | HR | HR | HR | HR | Yes |
2. Performance Testing | – | R | R | HR | HR | Yes |
EN 50128 / 50657 Table A. 7 – Overall Software Testing
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
---|---|---|---|---|---|---|
1. Performance Testing | – | HR | HR | M | M | Yes |
2. Functional and Black-box Testing | HR | HR | HR | M | M | Yes |
EN 50128 / 50657 Table A. 8 – Software Analysis Techniques
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
---|---|---|---|---|---|---|
1. Static Software Analysis | R | HR | HR | HR | HR | Yes |
2. Dynamic Software Analysis | – | R | R | HR | HR | Yes |
5. Software Error Effect Analysis | – | R | R | HR | HR | Yes |
EN 50128 / 50657 Table A. 13 – Dynamic Analysis and Testing
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
---|---|---|---|---|---|---|
1. Test Case Execution from Boundary Value | – | HR | HR | HR | HR | Yes |
2. Test Case Execution from Error Guessing | R | R | R | R | R | Yes |
3. Test Case Execution from Error Seeding | – | R | R | R | R | Yes |
5. Equivalence Classes and Input Partition Testing | R | R | R | HR | HR | Yes |
6. Structure-Based Testing | – | R | R | HR | HR | Yes |
EN 50128 / 50657 Table A. 14 – Functional/Black Box Test
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
---|---|---|---|---|---|---|
3. Boundary Value Analysis | R | HR | HR | HR | HR | Yes |
4. Equivalence Classes and Input Partition Testing | R | HR | HR | HR | HR | Yes |
EN 50128 Table A. 15 – Textual Programming Languages
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
---|---|---|---|---|---|---|
4. C or C++ | R | R | R | R | R | Yes |
7. Assembler | R | R | R | R | R | Yes |
EN 50128 / 50657 Table A. 18 – Performance Testing
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
---|---|---|---|---|---|---|
2. Response Timing and Memory Constraints | – | HR | HR | HR | HR | Yes |
EN 50128 / 50657 Table A. 20 – Components
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
---|---|---|---|---|---|---|
1. Information Hiding | – | – | – | – | – | Yes |
2. Information Encapsulation | R | HR | HR | HR | HR | Yes |
3. Parameter Number Limit | R | R | R | R | R | Yes |
4. Fully Defined Interface | R | HR | HR | M | M | Yes |
EN 50128 / 50657 Table A. 21 – Test Coverage for Code
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
---|---|---|---|---|---|---|
1. Statement | R | HR | HR | HR | HR | Yes |
2. Branch | – | R | R | HR | HR | Yes |
3. Compound Condition | – | R | R | HR | HR | Yes |
4. Data flow | – | R | R | HR | HR | Yes |
5. Path | – | R | R | HR | HR | Yes |

Start a free trial to evaluate Cantata using your code.
Static Analysis for EN 50128 / 50657 compliance
While Static Analysis is not Mandatory at any EN 50128 / 50657 SIL, it is the only practical way in which a coding standard (which is Mandatory for SIL 3 and 4) can be enforced.
Within the standard, Phase 7.5 (Software Component Implementation and Testing) together with Annex A (Criteria for the Selection of Techniques and Measures) address software development, placing requirements on the initiation of software development; software architectural design and software unit design and implementation. This is the main area where the Static Analysis tools are used; however, some of the information generated from the tools can also be used to assist in later stages, particularly testing.
Please contact us for more information on Static Analysis tools for EN 50128 / 50657.
The following tables are from the normative Annex A of EN 50128 / 50657 and show where Static Analysis can be used to meet the required technique or measurement.

EN 50128 / 50657 Table A. 4 – Software Design and Implementation
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
---|---|---|---|---|---|
4. Modular Approach | HR | M | M | M | M |
5. Components | HR | HR | HR | HR | HR |
6. Design and Coding Standards | HR | HR | HR | M | M |
7. Analyzable Programs | HR | HR | HR | HR | HR |
8. Strongly Typed Programming Language | R | HR | HR | HR | HR |
9. Structured Programming | R | HR | HR | HR | HR |
11. Language Subset | – | – | – | HR | HR |
EN 50128 / 50657 Table A. 5 – Verification and Testing
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
---|---|---|---|---|---|
2. Static Analysis | – | HR | HR | HR | HR |
4. Metrics | – | R | R | R | R |
EN 50128 / 50657 Table A. 8 – Software Analysis Techniques
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
---|---|---|---|---|---|
1. Static Software Analysis | R | HR | HR | HR | HR |
EN 50128 / 50657 Table A. 12 – Coding Standards
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
---|---|---|---|---|---|
1. Coding Standard | HR | HR | HR | M | M |
2. Coding Style Guide | HR | HR | HR | HR | HR |
3. No Dynamic Objects | – | R | R | HR | HR |
4. No Dynamic Variables | – | R | R | HR | HR |
5. Limited Use of Pointers | – | R | R | HR | HR |
6. Limited Use of Recursion | – | R | R | HR | HR |
7. No Unconditional Jumps | – | HR | HR | HR | HR |
8. Limited size and complexity of Functions, Subroutines and Methods | HR | HR | HR | HR | HR |
9. Entry / Exit Point strategy for Functions, Subroutines and Methods | R | HR | HR | HR | HR |
10. Limited number of subroutine parameters | R | R | R | R | R |
11. Limited use of Global Variables | HR | HR | HR | M | M |
EN 50128 / 50657 Table A. 19 – Static Analysis
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
---|---|---|---|---|---|
3. Control Flow Analysis | – | HR | HR | HR | HR |
4. Data Flow Analysis | – | HR | HR | HR | HR |
EN 50128 / 50657 Table A. 20 – Components
Methods | SIL 0 | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
---|---|---|---|---|---|
1. Information Hiding | – | – | – | – | – |
2. Information Encapsulation | R | HR | HR | HR | HR |
3. Parameter Number Limit | R | R | R | R | R |
