en 50128:2011 –what’s new and - esterel · pdf file1 © 2014 ansys, inc....

1 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential

EN 50128:2011 – What’s new and applying it to your development and

verification process

Gérard Morin

VP Professional Services

ESTEREL Technologies, ANSYS Group


EN 50128:2011 OVERVIEW

SCADE MODEL-BASED APPROACH

CERTIFICATION


Introduction

“The railway domain is used to use various kind of formal methods in many applications with success.

The application of a formal method has a real impact on the software quality and on the effective cost. The reduction of the number of software versions is one of the most significant benefits.

With ANSYS, we have created a training dedicated to the railway domain in which we explain how to assume the CENELEC 50128:2011 standard with the SCADE® solution.

This webinar is a good introduction to our valuable joint work.”

[email protected]


EN 50128:2011 OVERVIEWStructure of EN 50128:2011Quality AssuranceV-Cycle


CERTIFICATION


Structure of EN 50128:2011

EN 50128

Clause 5

Clause 6

Clause 7

Clause 8

Configuration Data

Generic software

Software Assurance

Clause 9MaintenanceDeployment

Organization

Clause 4SSIL


Structure of EN 50128:2011

EN 50128

Clause 5

Clause 6

Clause 7

Clause 8

Configuration Data

Generic software

Software Assurance

Clause 9MaintenanceDeployment

Organization

Clause 4SSIL

Annex A Annex D

Bibliography of Techniques

Annex B

Key Roles

Tables of Criteria

Annex C

Documents Control Summary


Safety Integrity Level (SIL)

The SIL is allocated to software from System Safety Analysis

The SIL can be allocated to a requirement or to the complete software

For software, it is called Software SIL (SSIL)

The 5 values of SSIL:• 0 failure has no impact or low impact on safety

• 1, 2 medium impact on safety

• 3, 4 high impact - death(s)


An EN 50128:2011 Compliant Processis Driven by Quality Assurance

M: Mandatory, HR: Highly Recommended, R: Recommended

FprEN 50128:2011 - 72 -

Table A.8 � Software Analysis Techniques (6.3) 2279

TECHNIQUE/MEASURE Ref SIL 0 SIL 1 SIL 2 SIL 3 SIL 4

1. Static Software Analysis D.13 D.37 Table A.19

R HR HR HR HR

2. Dynamic Software Analysis Table A.13 Table A.14

- R R HR HR

3. Cause Consequence Diagrams D.6 R R R R R

4. Event Tree Analysis D.22 - R R R R

5. Software Error Effect Analysis D.25 - R R HR HR

Requirement:

1) One or more of these techniques shall be selected to satisfy the Software Safety Integrity Level being used.

2280

Table A.9 � Software Quality Assurance (6.5) 2281


1. Accredited to EN ISO 9001 7.1 R HR HR HR HR

2. Compliant with EN ISO 9001 7.1 M M M M M

3. Compliant with ISO/IEC 90003 7.1 R R R R R

4. Company Quality System 7.1 M M M M M

5. Software Configuration Management D.48 M M M M M

6. Checklists D.7 R HR HR HR HR

7. Traceability D.58 R HR HR M M

8. Data Recording and Analysis D.12 HR HR HR M M

Requirements

1) This table shall be applied to different roles and all phases.

2282

Table A.10 � Software Maintenance (9.2) 2283


1. Impact Analysis D.32 R HR HR M M

2. Data Recording and Analysis D.12 HR HR HR M M

2284

2285


EN 50128:2011 V-Cycle

Software Assessment PlanSoftware Planning Phase

Software Requirement Phase

Software Architecture Phase

Software Component Design Phase

Software Component Implementation Phase

Software Component Testing Phase

Software Integration Phase

Software Validation Phase

System

Software

Software Requirements SpecificationOverall Test Specification

Software Architecture SpecificationSoftware Design SpecificationSoftware Interface SpecificationSoftware Integration Test SpecSw/Hw Integration Test Spec

Software Component Design SpecificationSoftware Component Test Specification

Software Source Code & Supporting Documentation

Software Component Test Report

Software Integration Test ReportSw/Hw Integration Test Report

Overall Software Test ReportSoftware Validation Report

Ver

ific

atio

nR

epo

rt

Ver

ific

atio

nR

epo

rt

Ve

rifi

cati

on

Re

po

rt

Ver

ific

atio

nR

epo

rt

Software Assessment PlanSoftware Assessment Report

Software Quality Assurance PlanSoftware Configuration Mgmt PlanSoftware Verification PlanSoftware Validation PlanSoftware Maintenance Plan

Software Maintenance RecordsSoftware Change Records

System requirement SpecificationSystem architecture descriptionHardware documentsSafety Requirements

Ver

ific

atio

nR

epo

rt

System Development Phase Software Maintenance Phase



SCADE MODEL-BASED APPROACHSCADE SuiteSCADE Model-Based V-Cycle5 Basic Principles of EN 50128:2011

CERTIFICATION


SCADE Suite

ControlSoftware Design

PROTOTYPE & DESIGN

Object Code &

Compiler

Verification

SCADE Suite KCG

C & Ada

RTOS Adaptors

DO-178B

DO-178C

IEC 61508

EN 50128

ISO 26262

Certification Kits

GENERATE

Model Coverage

Analysis

Formal

Verification

Time & Stack

Optimization

Debug &

Simulation

Model Checks

Plant Model Co-

simulation (incl. FMI)

VERIFY


Rail Automation Applicationswith SCADE

Automatic Train Control and Protection Systems: ETCS, CTCS & CBTC

– Emergency braking, overspeed protection, vehicle speed control, ATP/ATO

– Satellite-based locomotive control

– On-board displays (DMI)

Interlockings

Doors opening and departure interlocks

Train detection systems (Axle counters)

Level Crossing Protection

Control Centers: Fault reportingand Interlocking Displays

RATP – Paris Metro

Ansaldo Signal

Siemens Rail Transportation

Korea POSCON – Platform Screen Door


Modeling

Modeling is a major technique mentioned by the standard.Modeling can be used for: Requirement, Architecture, Design.

FprEN 50128:2011 - 76 -

Table A.17 � Modelling 2300


1. Data Modelling D.65 R R R HR HR

2. Data Flow Diagrams D.11 - R R HR HR

3. Control Flow Diagrams D.66 R R R HR HR

4. Finite State Machines or State Transition Diagrams

D.27 - HR HR HR HR

5. Time Petri Nets D.55 - R R HR HR

6. Decision/Truth Tables D.13 R R R HR HR

7. Formal Methods D.28 - R R HR HR

8. Performance Modelling D.39 - R R HR HR

9. Prototyping/Animation D.43 - R R R R

10. Structure Diagrams D.51 - R R HR HR

11. Sequence Diagrams D.67 R HR HR HR HR

Requirements:

1) A modelling guideline shall be defined and used.

2) At least one of the HR techniques shall be chosen.

2301

Table A.18 � Performance Testing 2302


1. Avalanche/Stress Testing D.3 - R R HR HR

2. Response Timing and Memory Constraints D.45 - HR HR HR HR

3. Performance Requirements D.40 - HR HR HR HR

2303

Table A.19 � Static Analysis 2304


1. Boundary Value Analysis D.4 - R R HR HR

2. Checklists D.7 - R R R R

3. Control Flow Analysis D.8 - HR HR HR HR

4. Data Flow Analysis D.10 - HR HR HR HR

5. Error Guessing D.20 - R R R R

6. Walkthroughs/Design Reviews D.56 HR HR HR HR HR

2305


FprEN 50128:2011 - 76 -

Table A.17 � Modelling 2300


1. Data Modelling D.65 R R R HR HR

2. Data Flow Diagrams D.11 - R R HR HR

3. Control Flow Diagrams D.66 R R R HR HR

4. Finite State Machines or State Transition Diagrams

D.27 - HR HR HR HR

5. Time Petri Nets D.55 - R R HR HR

6. Decision/Truth Tables D.13 R R R HR HR

7. Formal Methods D.28 - R R HR HR

8. Performance Modelling D.39 - R R HR HR

9. Prototyping/Animation D.43 - R R R R

10. Structure Diagrams D.51 - R R HR HR

11. Sequence Diagrams D.67 R HR HR HR HR

Requirements:

1) A modelling guideline shall be defined and used.

2) At least one of the HR techniques shall be chosen.

2301

Table A.18 � Performance Testing 2302


1. Avalanche/Stress Testing D.3 - R R HR HR

2. Response Timing and Memory Constraints D.45 - HR HR HR HR

3. Performance Requirements D.40 - HR HR HR HR

2303

Table A.19 � Static Analysis 2304


1. Boundary Value Analysis D.4 - R R HR HR

2. Checklists D.7 - R R R R

3. Control Flow Analysis D.8 - HR HR HR HR

4. Data Flow Analysis D.10 - HR HR HR HR

5. Error Guessing D.20 - R R R R

6. Walkthroughs/Design Reviews D.56 HR HR HR HR HR

2305

Modeling

SCADE Modeling Style


SCADE Suite Modeling

A

B

B1

B2

B3

C

C1

C2

Hierarchical

View

Net View

1

Display Logic

1

AlarmManager

1

FlightController

speed

altitude

throttleCmd

elev atorCmd

JV_Speed_Alarm

SDY_Pitch_Angle

SDY_Roll_Angle

SDY_Alti

SDY_Baro_Scale

<FlightMode>

AUTOPILOT

1

UnitConv ert

KTStoKMH

2

UnitConv ert

FTtoM

MCPspeed

MCPaltitude AltitudeTarget

SpeedTarget

MANUAL

SpeedTarget = (speed) -> ( last 'SpeedTarget);

AltitudeTarget = (altitude) -> ( last 'AltitudeTarget);

SpeedTarget

AltitudeTarget

JV_Alti_Alarm

SDY_Airspeed

MCP_UnlockRoll

1

AutoPilot

1

not AutoPilot

1

AlarmManagerSingle

alarmSpeedThreshold alarmSpeedTimer

2

AlarmManagerSingle

alarmAltThreshold alarmAltTimer

speedSensor

speedSetpoint

JV_Speed_Alarm

altSensor

altSetpoint

JV_Alti_Alarm

8

UnitConv ert

MtoFT

2

ComputePitchRoll

9

UnitConv ert

KMHtoKTS

100.0

speedSensor

altSensor

SDY_Airspeed

SDY_Pitch_Angle

SDY_Roll_Angle

SDY_Alti

SDY_Baro_Scale

MCP_UnlockRoll

1

DetectRegulationError

AlarmThreshold

<AlarmMgt>

NoAlarm

Alarm

<SubAlarmMgt>

Fugitiv e

Conf irmed

AlarmConf irmedtrue

Alarm

Sensor

Setpoint

1

Alarm

1

not Alarm

1

AlarmConf irmedTimer

times true

L1 = L2 * L3;

L2 = in;

L3 = Factor;

out = L1;


SCADE V-CycleSystem Development Phase

Software Requirement Phase Software Validation Phase

Software Maintenance PhaseSoftware Assessment PlanSoftware Planning PhaseSystem

Software

HW/SW Architecture Phase HW/SW Integration Phase

SCADE SW Architecture Phase SCADE Integration Phase

SCADE Component

Design Phase

SCADE Component Coding Phase

SCADE Component Testing Phase

SCADE Testing

Preparation Phase


SCADE V-CycleSystem Development Phase

Software Requirement Phase

Software Maintenance PhaseSoftware Assessment PlanSoftware Planning PhaseSystem

Software

HW/SW Architecture Phase HW/SW Integration Phase

SCADE SW Architecture Phase SCADE Integration Phase

SCADE Component

Design Phase

SCADE Component Coding Phase

SCADE Component Testing Phase

SCADE Testing

Preparation Phase

SCADE Architecture Design Model Generated Documentation

Requirements to SCADE Architecture Allocation Matrix

SCADE Design Model SCADE Detailed Design DocumentRequirements to SCADE Model Traceability Matrix

SCADE Test Cases (Components + Integration)Requirements toTest Cases Traceability Matrix

SCADE Component Test Results SCADE Coverage Results

SCADE Component Generated codeSCADE Compiler Verification Kit Results

SCADE Integration Test Results SCADE Coverage Results

Software Validation Phase

Overall Software Test ReportSoftware Validation Report


Basic Principles of EN 50128:2011

Architecture and Components

Documentation and Traceability

Configuration Management and Project Management

Verification

Certification


HW/SW Architecture according to EN 50128:2011

Safe Platform

Application

HW1 HW2 HW3

Integrity MeasuresDiagnostics

I/O Drivers

Scheduling

SCADE Generic

Component

SCADE Component

Legacy Component

Legacy Code

Parameters



• Model-Based Design approach facilitates the identification of Architecture and Functional itemso Architecture Model: assembly of SCADE Operators with explicit

communication between Operators

o Use of Library Components: enhanced modularity and reusability

TrackStates

PointStates

PointPosition

SignalPositionsTrainsBlocked

Start

1

ControlCommand

TrainIdVisibleTrainIds

IdOnPoints

IdVisibleOnTracks

IdOnTracks

TrackPointIdVisible

IdVisible

IdVisibleOnPoints

2

Display ::Display

ITINERARIES

ITINERARIES



Each SCADE model can be managed as a library component:

• A SCADE model can use several library components.

• Libraries can be organized hierarchically.

• When a library is used in a project, its access is read only.

Libraries structure the user definitions of SCADE projects:

• You can create your own library components, fully test them and reuse them from other projects.

• The libraries used by a model are specified in the model project.



Station Control SW

Control Command Display

MovementAuthority

Station State Mgmt

3 Components in Library


Documentation & Traceability

Documentation enables auditability of the project artifacts

Documentation must be:– Traceable– Structured to allow expansion as project proceeds– recorded in a form appropriate for manipulation, processing and storage

Among the 46 required documents, Design Specifications are automatically generated from the models

Traceability matrixes are automated as well


Documentation & TraceabilityInterface Specification

- 43 - FprEN 50128:2011

7.3.4.19 The description of interfaces shall address 1436

a) pre/post conditions, 1437

b) definition and description of all boundary values for all specified data, 1438

c) behaviour when the boundary value is exceeded, 1439

d) behaviour when the value is at the boundary, 1440

e) For time-critical input and output data: 1441

1) time constraints and requirements for correct operation, 1442

2) management of exceptions. 1443

f) allocated memory for the interface buffers and the mechanisms to detect that the memory cannot be 1444 allocated or all buffers are full, where applicable, 1445

g) existence of synchronization mechanisms between functions (see e)). 1446

All data from and to the interfaces shall be defined for the whole range of values defined by the type of the 1447 data, including the ranges which are not used when processed by the functions: 1448

a) definition and description of all equivalence classes for all specified data and each software function using 1449 them, 1450

b) definition of unused or forbidden equivalence classes 1451

NOTE The data type includes the following: 1452

1) input parameters and output results of functions and/or procedures; 1453

2) data specified in telegrams or communication packets; 1454

3) data from the hardware. 1455

7.3.4.20 A Software Design Specification shall be written, under the responsibility of the Designer, on the 1456 basis of the Software Requirements Specification, the Software Architecture Specification and the Software 1457 Interface Specification. 1458

Requirements from 7.3.4.21 to 7.3.4.24 refer to the Software Design Specification. 1459

7.3.4.21 The input documents shall be available, although not necessarily finalised, prior to the start of the 1460 design process. 1461

7.3.4.22 The Software Design Specification shall describe the software design based on a decomposition 1462 into components with each component having a Software Component Design Specification and a Software 1463 Component Test Specification. 1464

7.3.4.23 The Software Design Specification shall address 1465

a) software components traced back to software architecture and their safety integrity level, 1466

b) interfaces of software components with the environment, 1467

c) interfaces between the software components, 1468

d) data structures, 1469

e) allocation and tracing of requirements on components, 1470

f) main algorithms and sequencing. 1471

g) error reporting mechanisms 1472


Documentation & TraceabilityInterface Specification

Name Type Comments and Information

AccIn AccItinerary_t

Comments: Global flow contains the differents elements states and informations for the TrainAnnotations:PointItineryIdsRole______________ : array of Id of the points on ItiniraryPre_post_Condition : N/AUnit______________ : N/ARange_____________ : [0;MAX_POINTS]Robustness________ : N/ATime_Constraints__ : N/AMemory____________ : N/A

PointStateRole______________ : array of State of points in previous cyclePre_post_Condition : N/AUnit______________ : N/ARange_____________ : [IDLE;SET;OCCUPIED]Robustness________ : N/ATime_Constraints__ : N/AMemory____________ : N/A

../..

Inputs of StationStateMgtName Type Comments and Information

TrackStatesOccState_t^MAX_TRACKS

Annotations:TrackStatesRole______________ : array of state of the tracksPre_post_Condition : N/AUnit______________ : N/ARange_____________ : [IDLE;SET;OCCUPIED]Robustness________ : N/ATime_Constraints__ : N/AMemory____________ : N/A

PointStatesOccState_t^MAX_POINTS

Annotations:PointStatesRole______________ : array of states of the pointsPre_post_Condition : N/AUnit______________ : N/ARange_____________ : [IDLE;SET;OCCUPIED]Robustness________ : N/ATime_Constraints__ : N/AMemory____________ : N/A

PointPositionPosition_t^MAX_POINTS

Annotations:PointPositionRole______________ : array of position of the pointsPre_post_Condition : N/AUnit______________ : N/ARange_____________ : [STRAIGHT;TURN]Robustness________ : N/ATime_Constraints__ : N/AMemory____________ : N/A

../..

Outputs of StationStateMgt


Configuration Management and Project Management

It is key that the Project Manager has at his disposal a Configuration Management tool and a Project Dashboard, that are synchronized with its Model-Based Development Environment.

Root1.1 Root1.2 Root1.3

Architecture team workspace

Root

A1.1 A1.2 A1.3 A1.4

Func A

Root

Component A workspace

Approved architecture

Slow, restricted evolution

Read-only

Frequent evolution


Model-Based Verification

It is a combination of several Model-Based Verification techniques

• Semantics check of the model

Error message: Incompatible type

interface

local_CruiseSpeed

QuickDecel

2

CruiseSpeedMgt

QuickAccel

CruiseSpeed

Set

Speed

bool

bool

bool

tSpeed

tSpeedtSpeed

locate



It is a combination of several Model-based Verification techniques


• User design rules check of the model

Implementation of the rule« All local variables start by l_ »

Execution of the script that dumps result of the script for eachelement






• Complexity check of the model







• Review of the model







• Review of the model• Traceability analysis between

higher-level requirements and the model









• Timing and stack analysis at model-level









• Timing and stack analysis at model-level

• Simulation that supports the thorough exploration of the dynamic behavior


Combined Testing Process

The SCADE Combined Testing Process is a SCADE model-Based approach for combining efficient and rigorous testingacivities

Objectives are the following:• Optimize the testing effort

• Maximize the benefit from KCG qualification/certification

Combination is the following:• Software requirements-based testing

• Low-level testing on a sample

• Testing on host and on target


“Traditional” Testing Process

Application Code

Libraries

Application Code

Scheduler and I/O

An embedded application is typically made of:

• A scheduler or an operating system + drivers for inputs and outputs

• The code of the application

• Libraries of some elementary operations (C code) that are repeatedly used in the application



Application Code

Libraries

Application Code

Scheduler and I/O

Low-Level Tests

Low-Level Tests

Low-Level Tests

Low-Level Testing (a.k.a. Unit Testing) is applied to the 3 components of the application.

Low-level Testing of the Application Code is time consuming, requires updates each time there is code update (which is a standard situation), and the stopping criterion is not easy to establish.

Stable

Stable

Massive, many updates



Requirements-Based Tests

The requirements-based tests are coded in C, and/or in a specific target test toolformat, and run on target; thus, they are debugged on target .

Target test tool structural coverage measurement can be the stopping criterion, generally mixed with low-level test coverage scores, sometimes not easy to justify.

Application Code

Libraries

Application Code

Scheduler and I/O

Low-Level Tests

Low-Level Tests

Low-Level TestsStable

Stable

Massive, many updates

On Target


SCADE Combined Testing Process (CTP)

Application Code

Libraries(C code)

SCADEGenerated

Application Code

Scheduler and I/O

An embedded application designed with SCADE Suite is typically made of:

• A scheduler or an operating system + drivers for inputs and outputs

• The code of the application, generated by SCADE Suite KCG

• Libraries of some elementary imported operators (C code) that are repeatedly called in the SCADE model (SCADE libraries are part of the generated code).



Application Code

Libraries(C code)

SCADEGenerated

Application Code

Scheduler and I/O

Low-Level Tests


Stable

• No change in low-level testing against the scheduler and I/O (or OS) and against the libraries of C Code



Application Code

Libraries(C code)

SCADEGenerated

Application Code

Scheduler and I/O

Low-Level Tests


Stable

Model Test Coverage

(assessed with MTC)


with QTE

On Host and/or on Target

The specification-based tests are created using SCADE LifeCycle QTE and run on host (SCADE simulation) and/or on target (target testing) according to the test strategy that has been established.

SCADE Suite MTC is the unique means to monitor and stop the requirements-based testing activities.



Application Code

Libraries(C code)

SCADEGenerated

Application Code

Scheduler and I/O

Low-Level Tests


Stable

CVK BricksLow-Level TestsStable

Model Test Coverage

(assessed with MTC)


with QTE

On Host and/or on Target

SCADE Suite CVK is a low-level test suite used to perform unit testing on target of all the C constructs of the SCADE generated application code.

No Low-Level Tests


Software Test Strategy: 3 Stages

SwCTSSwCTS

SwCSSwCS

SwCS SwCTS

Verification

Verification

Objective = 100% Structural Coverage(Criterion = DC for Sil 3 / 4 and Branches for Sil 2)

On Host

Sw ComponentTest Specification

SCADE SimulatorSCADE QTESCADE MTC

SwITSSwINS

Verification

Verification

Sw/Sw IntegrationObjective = 100% of interfacesOn Host

Sw IntegrationTest Specification

SCADE SimulatorSCADE QTE

SCADE RM Gway

SwRS OSTS

Verification

Verification

Objective = 100% of Software RequirementsOn Target

Overall Sw Test Specification

SCADE QTESCADE RM Gway


“Overall Testing: To analyze and test the integrated software and hardware to ensure compliance with the Software Requirements Specification with particular emphasis on the functional and safety aspects according to the software safety integrity level and to check whether it is fit for its intended application.

…

The software shall be exercised either by connection to real items of hardware or actual systems with which it would interface in operation, or by simulation of input signals and loads driven by outputs.”

Overall Testing / Software Validation


QTE Use: Develop Validation Tests on Host

1.CreateTest Project

2.Edit Test Project

3.Launch Test Tools

4.Reports


QTE Use: Generate Test Harness for Target

5.Select Target:• RTRT• LDRA Tb• …

6. GenerateTest

Harness


How to facilitate the HW/SW Integration in a Model-Based Approach

Simplorer




CERTIFICATION


Certification of a Software

Certification is about assessing the evidence that the work is done right:

• Each generation/transformation is verified, or the corresponding tool is qualified

• It includes:• Documents (written, generated)• Models• Tests• Code (C code, object code)

• Each phase of the V-Cycle is concluded by a Verification Report

• It is demonstrated that the product complies with the specified safety requirements: Safety Case


How SCADE and its EN 50128 Certification Optimize the Certification Process

• Avoid the burden of verifying that the generated code exactlyoperates as the model; the SCADE Suite Code Generator (KCG) isqualified (Tool Class T3)

• Avoid the burden of verifying that the generated documents exactly represent the models; the SCADE LifeCycle Reporter isqualified (Tool Class T2)

• Avoid the burden of verifying that the target object code exactlyoperates as the C-code; the SCADE Suite Compiler VerificationKit (CVK) verifies the target compatibility of the generated code (including: compiler, hardware)


Safety Case

Safety Case: the documented demonstration that the product complies with the specified safety requirements

It shall contain:• Evidence of Quality Management

• Evidence of Safety Management

• Evidence of functional and technical safety

• Conditions of use

SCADE Suite KCG Certification Kit provides a large portion of evidence of Safety Management (software part of the system)


SIL 2 & SIL 3/4 Software DevelopmentsSIL 4 applications are mainly Signaling applications that include: Interlocking, Traffic management, Train detection, etc.

SIL 2 applications are mainly in trains (Traction control, Braking system, Network management, etc.) , in Tunnels (Fire detection, etc.), in Platform equipment, etc.

SIL 2, compared to SIL 3/4, requires less formal development and V&V techniques, weaker test coverage criterion (Branch instead of DC) , less independence of team members

SCADE MBD approach provides benefits to SIL 2 and SIL 3/4 developments:

Level No SIL CostSIL 2Cost

SIL 3/4Cost

Cost Reference 100 150 300

Cost with SCADE MBD

100 115 170

Savings with SCADE MBD

- 25% 45%


Conclusion

A Model Based approach is an efficient solution to manage the main objectives established by the EN 50128:2011 standard:• Architecture and Components

• Documentation and Traceability

• Configuration Management and Project Management

• Verification

• Certification

Should you need more support, please, feel free to require our2 days Classroom Training Course: « Realization of a Railway Application Compliant with the EN 50128:2011 Standard withANSYS SCADE® »• This course has been created by Jean-Louis Boulanger, CERTIFER and

Esterel Technologies


And more…