Software in the railway industry needs to meet the requirements of the standard CENELEC 50128. Eiffage Energie Railway Systems worked with Itris Automation to integrate PLC Checker into their project, to ensure compliance with the standard throughout the development of their PLC programs and to support the certification process. Find out now how PLC Checker can support compliance needs and the certification process. Find us at http://www.itris-automation.com Contact us at contact@itris-automation.com for more information.

1. User Story
Quality verification of PLC programs in the railway industry to meet the requirements of the
CENELEC 50128 standard - 1
Quality verification of PLC programs in the railway
industry to meet the requirements of the CENELEC 50128
standard.
The use of PLC Checker by Eiffage to support the certification process.
The context
Eiffage is a group in the construction and public
works industry. Their entity Eiffage Energie
Systèmes Ferroviaire designs, produces, and
operates rail networks and systems.
The challenge
In a project for the railway industry, the PLC
programs created by Eiffage were required to be
conform with the good practice development
methods defined by the standard CENELEC
50128. Eiffage then needed to be able to prove
this conformity to an external certification body for
approval.
The solution
PLC Checker, an automatic verification tool for
PLC programs, was identified as being able to
meet a number of the requirements of CENELEC
50128 and therefore able to support Eiffage in the
development and certification of their PLC
programs.
The results
The PLC Checker reports supported Eiffage’s
certification application and the certification body
approved the conformity of their PLC programs
with the standard. Since commissioning, no
software anomalies have been observed.

2. User Story
Quality verification of PLC programs in the railway industry to meet the requirements of the
CENELEC 50128 standard - 2
THE CONTEXT
Eiffage is a group in the building
and public works industry. Their
entity, Eiffage Energie Systèmes
Ferroviaires (EESF), specialised in
the railway industry, designs,
produces, and operates rail
networks and systems. In a recent
project for the new high-speed train
line between Brittany and the Loire
Valley in France, EESF was
responsible for the financing,
conception, and construction of the line, and they will be responsible for its
maintenance for the next 25 years.
In the railway industry, safety is fundamental. Therefore, any software bearing a
safety risk and destined for an application in this industry must be managed correctly.
This is the reason for the existence of the standard CENELEC 50128. This standard
defines the process and technical criteria for the development of
control/command system software in the railway industry to ensure the safety of
people and goods.
The programs that EESF developed for this railway project carried a security level
SIL 2. Consequently, they had to ensure the respect of CENELEC 50128 from the
very beginning of the project. At the end of the program development, they were
required to prove the conformity of these programs to an external certification body in
order to validate them.
THE CHALLENGE
Itris Automation started working with EESF to support them with the development of
their CENELEC 50128-compliant PLC programs and to support their certification
process. Previously, EESF performed
manual code reviews to verify the respect
of their PLC programs with their corporate
programming standard. But this technique
is too limited and cannot ensure the safety
level required by the standard. Manual
code reviews are never exhaustive given
the large number of lines of code and the
amount of time and resources they require.
Finally, Eiffage’s corporate programming standard is based on experience from

3. User Story
Quality verification of PLC programs in the railway industry to meet the requirements of the
CENELEC 50128 standard - 3
previous projects which were not necessarily within the railway industry. It was
therefore necessary to update the programming standard for this project to take into
account the requirements specific to CENELEC 50128.
Certifer, the external certification body responsible for the certification of EESF’s
project, suggested the use of a static analysis tool for PLC programs, such as PLC
Checker, in order to meet the
requirements of the CENELEC
50128 standard. PLC Checker,
developed by the French
company Itris Automation, is a
collaborative application for the
static analysis of PLC code. The
tool can verify the conformity with programming standards, calculate metrics, and
detect anomalies in PLC programs. Industry leaders such as Schneider Electric,
Ford, and EDF are already using PLC Checker.
Given that the standard CENELEC 50128 demands the use of appropriate
verification techniques and after Certifer’s recommendation, EESF decided to use
PLC Checker to support the development of their PLC programs for the high-speed
railway project.
THE SOLUTION
To start with, it was necessary to qualify PLC Checker by demonstrating that it
meets the usage requirements of the high-speed railway project and a security level
SIL 2. According to the tool classes as defined by CENELEC 50128, PLC Checker is
classed T2, “a tool which allows for the testing or verification of a program, where any
internal faults could lead to an
error in the results of the
verification but would not have
an impact on the final
executable software.” EESF,
with the help of Itris Automation,
put a testing strategy in place
to: validate the functions to be
used; ensure that any errors
would not be detectable in the
final product; manage any
anomalies; and define the limits
of use. The results of these tests were used to create a qualification file for the
approval of the use of PLC Checker for the high-speed railway project. This file could
PLC Checker helps integrate compliance with standards, such
as CENELEC 50128 for railway, early on in a project.

4. User Story
Quality verification of PLC programs in the railway industry to meet the requirements of the
CENELEC 50128 standard - 4
also be useful for future projects in certified contexts (railway or other), thus enriching
the offer of both Itris Automation and Eiffage.
After the tool qualification process, EESF was able to start integrating PLC Checker
into their development process. Firstly, it was necessary to prepare the programming
rules set for the tool. To do this, EESF presented their corporate coding standard and
their needs to Itris Automation so that their requirements were taken into account
during the creation of the customised rules set for PLC Checker. In turn, Itris
Automation presented the rules from their own program development guidelines to
evaluate if they could be useful for EESF and if they could contribute to verifying the
conformity with CENELEC 50128. EESF decided to adapt their coding rules set for
this project by adding some of the pertinent rules from Itris Automation’s guidelines,
resulting in a hybrid solution, better adapted to the needs of the project. Once the
rules had been defined, Itris Automation created the personalised PLC Checker rules
set. This rules set was delivered to EESF and the verification of their PLC programs
with PLC Checker was able to begin.
EESF used PLC Checker to meet several of the requirements of CENELEC 50128.
Firstly, they ran the tool to verify that the coding rules had been respected
throughout the program development stage, an aspect highly recommended by the
standard for programs with a security level SIL 2. Then, as simply recommended,
EESF used the tool to monitor metrics, in order to follow the progress of the project
and to judge the complexity and maintainability of the program. Finally, EESF used
PLC Checker to analyse the control flow and the data flow of the program,
another aspect highly recommended by CENELEC 50128. These analyses allowed
any incoherencies in the sequence of the program to be detected, such as the
presence of dead code for example. PLC Checker facilitated all of these inspections
and analyses by automatizing the most tedious part and by automatically producing
results that EESF simply needed to interpret.
Finally, PLC Checker was used during different
levels of testing in order to ensure the highest
quality from the very beginning of the
development. The flexibility of the tool allowed the
different teams to use it according to their specific
needs. For the developers, the tool allowed them
to test the applications during the development
stage and thus to find any major non-conformity
issues earlier, when it is easier to correct them.
Then, the testing team used the tool to check
certain parts of the program and certain coding
rules that are particularly important. Finally, the
tool allowed the internal verification team and the
external validation team to have an overview of all
4 PLCs
10.000 Inputs / outputs
200 Different software
components
+17.000 Lines of code
+11.000 Alarms
Some key project figures

5. User Story
Quality verification of PLC programs in the railway industry to meet the requirements of the
CENELEC 50128 standard - 5
the analyses so that they could audit the development process. EESF especially
appreciated this collaborative characteristic of PLC Checker as it enabled the results
to be easily shared between the different stakeholders and it provided a global view
of the project.
THE RESULTS
EESF tested all the programs and components of their project with PLC Checker,
and the issues brought up in the tool’s analysis reports were corrected. The reports
generated by PLC Checker were then analysed by the verification and validation
teams to confirm that the programs and the quality management process were
compliant with the CENELEC 50128 standard. After all the efforts of EESF, the
external certification authority, Certifer, declared themselves satisfied with the
process and approved the conformity of EESF’s programs with the standard:
“The creation, the verification, and the validation of the software is
conform with the CENELEC 50128: 2011 norm for software with a
security level SIL 2.”
Since the commissioning of the high-speed railway line Brittany – Loire Valley in
July 2017, no software anomalies have been observed.
Eiffage Energie Systèmes Ferroviaire is now planning to systematise the use of
PLC Checker for all certified projects.
PLC Checker is available for
• CoDeSys v2.x, v3.x
• Beckoff TwinCAT 2 and 3
• ICS Triplex ISaGRAF 4.12
• Phoenix Contact PC Worx and
MULTIPROG 5.50
• PLCopen XML
• Rockwell Automation RSLogix 5,
RSLogix 500, and RSLogix 5000
• Schneider Electric Unity Pro, PL7 Pro,
Orphee, XTEL, and SoMachine 4
• Siemens Step5, Step7, and TIA Portal
• Yokogawa Stardom

6. User Story
Quality verification of PLC programs in the railway industry to meet the requirements of the
CENELEC 50128 standard - 6
About Itris Automation
Based in Grenoble, France, Itris Automation is a software engineering company that
provides development and production tools for the verification, conversion,
documentation and troubleshooting of PLC codes to complement the programming
tools of international PLC vendors. Thanks to their advanced technologies, Itris
Automation helps companies improve their development processes and thus deliver
higher quality programs in shorter timeframes. The Itris Automation team are experts
in software quality and coding standards, and they have combined their knowledge
and skills to provide innovative solutions for the industry.
Schneider Electric, EDF, Sanofi, Ford, Eiffage, Soitec, and ArianeGroup are among
Itris Automation’s main customers.
For more information, please visit our website www.itris-automation.com