Compiler and Library Qualification for EN 50128 / EN 50716

EN 50128 / EN 50716 for Railway Applications

Railway systems must follow functional safety requirements developed specifically for the railway industry. These requirements are contained in the European standards developed by CENELEC (European Committee for Electro-technical Standardization). EN 50128 “Railway Application – Communications, Signalling and Processing Systems – Software for Railway Control and Protection Systems” and EN 50716 “Railway Applications – Requirements for software development” are focused on software. As part of the requirements for software development, these standards govern the use of software tools such as compilers, as well as software components such as standard libraries.

Compiler Qualification

Compilers are usually not part of electronic systems. Compilers are used by the application developer, and the compiler-generated code goes into the railway system. If the compiler generates incorrect code, there can be serious consequences. For that reason, Clause 6.7 of EN 50128 and EN 50716 defines that compilers shall be qualified through validation. With a qualified compiler, the application developer can trust that the compiler is thoroughly verified using state-of-the-art techniques and that any errors found are documented. This means that a compiler does not have to be free of errors (few compilers are), but that errors are known to the application developer so they can be avoided.

The typical approach to qualifying a compiler is validating it against the programming language specification. The SuperTest Compiler Test and Validation Suite is the industry standard for validating C and C++ compilers against their ISO-standardized programming language specifications. It does so by verifying that the behavior of the executable code generated by the compiler conforms to the language specification. Typical compilers have in the order of a thousand configuration options. If you do not qualify your compiler for your exact use case (i.e. configuration), the compiler is not qualified at all. SuperTest ensures that your compiler is qualified for your exact use case.

SuperTest contains automated tools that summarize the results of a validation run into manageable reports. One of these reports provides full traceability between the test suite and the programming language specification, providing evidence of the completeness of the validation, as required by the EN 50128 and EN 50716 standards. Both Solid Sands and its customers have performed numerous compiler qualification projects using SuperTest. The resulting safety documentation was certified for the highest safety integrity levels by independent assessors such as TÜV.

Request Demo

Library Qualification

The standard libraries of C and C++ are collections of header files and library functions defined by the C and C++ programming language specifications. Library qualification is different from compiler qualification because the library code becomes part of the safety-critical application code.

For that reason, Clause 7.3.4.7 of EN 50128 and EN 50716 considers the C and C++ standard libraries as pre-existing software components that shall be validated. The key component necessary to go through this process is a requirement-based test suite. The SuperGuard Library Safety Qualification Suite is such a test suite. It is the only test suite that provides detailed traceability between the requirements that are derived from the language specification and the tests for the C and C++ standard libraries.

Under EN 50128 and EN 50716, the standard libraries are not required to undergo code coverage analysis directly since they are generally assumed to be well-tested by the library implementers. This holds even for the highest Safety Integrity Level (SIL 4). This means that the library can be qualified based on the binaries or using the source code. SuperGuard supports both options, even providing high structural and MC/DC coverage if desired for extra confidence (not mandatory; the source code is required in that case). Even if the library is only available in binary, SuperGuard’s developers have made sure to demonstrate the completeness of the test suite with close to 100% structural code coverage of the source code of other library implementations.

Even if the standard library that you use is delivered as a binary archive, your use case (including the compiler configuration and compilation options) is important. This is because the standard library also consists of header files that are processed as source code. For efficiency, many functions in the standard library are implemented as macros and are compiled with your current use case. SuperGuard ensures that your standard library is qualified for your exact use case.

Request Demo