EN 50128 for rail software
May 20, 2020

What Is EN 50128?

Static Analysis
Security & Compliance

EN 50128 is a functional safety standard for the rail industry and is titled “Railway applications — Communication, signaling, and processing systems — Software for railway control and protection systems”.

Following the requirements of this standard is critical for railway software development. For that reason, it is essential that you understand what is EN 50128, how to follow the functional safety standard, and what are Software Safety Integrity Levels (SSIL).

Read along or jump ahead to the section that interests you the most:

➡️ make compliance easy with Helix QAC

Back to top

What Is EN 50128?

EN 50128 is a functional-safety standard tailored for the particular demands of the rail industry. It provides a set of requirements for the development, deployment, and maintenance of any safety-related software intended for railway control and protection applications.

Back to top

Why Is EN 50128 Important?

The goal of the functional safety standard is to ensure safety throughout the lifecycle of rail equipment and systems, and does so by providing the requirements that must be followed to ensure safety.

A railway network comprises a number of very large and complex, but tightly controlled systems. Whilst the overall probability of a malfunction might be low, a single safety-related failure can clearly have a very severe impact on multiple individuals.

For that reason, it is essential that you follow the functional safety standard to avoid or control systematic failures as well as to detect or control random hardware failures.

Back to top

What Is EN 50128 Classification of Tools?

The functional safety standard introduces three classes of tools and all tools must be assigned to one of these classes depending on their potential to affect the executable code.

Tool Class




Tool output does not contribute to executable code.

  • Text Editor
  • VCS


Tool tests and verifies design as well as the executable code. The tool cannot introduce defects into the code but may fail to detect existing defects.

  • Static Analysis Tool
  • Code Coverage Test Tool


Tool output contributes to executable code.

  • Compiler
  • Linker

For Class T2 tools — such as static analysis toolHelix QAC — there must be evidence that the tool meets the requirements of the functional safety standard and the required Software Safety Integrity Level (SSIL). Helix QAC has been certified as fit for purpose to develop safety-related software up to SIL 4 by TÜV-SÜD.

Back to top

Why Software Safety Integrity Levels (SSIL) are Important

Software Safety Integrity Levels are not unique to this functional safety standard, as all functional safety standards provide a number of pre-defined safety level categories.

EN 50128 has five defined SSIL values where SSIL 0 is the lowest level and SSIL 4 is the highest level of safety integrity. This means that SSIL 4 requires more checks and stringent controls whereas SSIL 0 is not safety-related.

When determining the SSIL for a component, various hazard consequences are taken into account such as loss of human life, injuries to persons, and damage to property.

The SSIL rating determines the techniques or measures that you will need to fulfill and there are different recommendations for each one.

For each technique the requirements are stated for each SSIL, using the following abbreviations:

  • “M” mandatory.
  • “HR” highly recommended.
  • “R” recommended.
  • “—” no requirement

For example Table A.12, TECHNIQUE/MEASURE 1  States that a coding standard — such as MISRA — is mandatory for SSIL 3 and SSIL 4, and highly recommended for SSIL 0, SSIL 1, and SSIL 2.

Back to top

How to Follow EN 50128?

Within the functional safety standard,  Phase 7.5 — Software Component Implementation and Annex A — Criteria for the Selection of Techniques and Measures -  specifically address software development.

To meet the requirements of those sections,  the functional safety standard specifies the use of a static code analyzer. This ensures that:

  • Defects and vulnerabilities are identified.
  • Coding standards — such as MISRA — are enforced.

Using a static code analyzer — like Helix QAC — makes it easier to verify that your code is compliant to the coding standard and therefore can meet the requirements of EN50128. In addition, a static code analyzer helps to ensure that your code is safe, reliable, and high quality.

Learn more about how Helix QAC can help you meet the requirements of EN 50128 >>

Back to top

Following EN 50128 Is Easier with Helix QAC

Helix QAC is the most accurate code analyzer for C and C++ programming languages. And, it has been certified as fit for purpose to develop safety-related software up to SIL 4 by TÜV-SÜD. This makes it the ideal static code analyzer for functional safety.

What’s more, as a certified tool, Helix QAC can help you accelerate functional-safety compliance by:

  • Enforcing coding standards and detecting rule violations.
  • Prevent the use of undefined or unspecified behavior
  • Implementing Control and Data Flow analysis.
  • Calculating metrics

See how Helix QAC can help you accelerate your functional safety efforts.

➡️ Helix QAC free trial

Back to top