The EN50128 safety standard for the European safety critical rail software places great importance on the development process.
Every change to the software has to be based on a defined requirement, and in order to validate the software you have to prevent evidence that every change was approved by a reviewer that is competent for that area of the software. The validation report contains the signature of this person.
If your code passes every test, but it wasn't developed in accordance with the process, it might as well not exist.
Of course I can't say how well this process was followed in NEWAG, but in theory rogue changes shouldn't be possible.
Every change to the software has to be based on a defined requirement, and in order to validate the software you have to prevent evidence that every change was approved by a reviewer that is competent for that area of the software. The validation report contains the signature of this person.
If your code passes every test, but it wasn't developed in accordance with the process, it might as well not exist.
Of course I can't say how well this process was followed in NEWAG, but in theory rogue changes shouldn't be possible.