Unified Software Assurance — How EN 50716:2023 defines a new Era

The railway industry is entering a transformative phase: software is no longer a side-component of signaling or rolling stock — it is the core of control, safety, communication, diagnostics, and increasingly even services. Recognizing this, standards bodies have moved from a fragmented certification landscape to a unified, cross-domain standard: EN 50716:2023. For OEMs, systems integrators, railway operators, and decision-makers, this brings both a challenge and a huge opportunity. As one of the leading providers of certifiable real-time operating systems (RTOS) and hypervisor solutions, SYSGO is well positioned to support this transition — minimizing risk, accelerating time-to-market, and future-proofing rail software architectures.

In this post we unpack what EN 50716 changes, why it matters, how SYSGO fits in, and what it could mean for the future of rail software development.

What is EN 50716:2023 and what changed?

A New “Single Norm” for Railway Software

EN 50716:2023 — titled “Railway Applications – Requirements for software development” — was published by CENELEC in November 2023, effectively replacing the previously separate norms EN 50128 (for signalling/control systems) and EN 50657 (for rolling-stock software). The standard now covers all software for programmable electronic systems in railway contexts: control and command for signalling, on-board systems, firmware, embedded OS, support tools — anything from high-level application code down to low-level firmware. 

A significant shift: It removes the dichotomy between “infrastructure (signalling)” and “vehicles (rolling stock)” — development rules are unified across both domains. Even software previously considered “non-safety-related” (formerly SIL 0) can now fall under the standard’s scope via a “basic integrity” classification. 

Evolution with Key Enhancements

While EN 50716 builds on the structure of EN 50128 / EN 50657, its text has been heavily revised; Many sub-chapters updated or removed, and the chapter numbering remains similar — but content has changed. 

Key updates include:

• Software Integrity Levels (SIL) now span from “basic integrity” (SIL 0) up to SIL 4, enabling usage even for non-safety-critical or low-risk applications under a standard framework.
• Organizational & process requirements are clarified: Roles, separation of concerns, independence, safety-culture aspects are more explicitly regulated (e.g., more detail on organizational independence to avoid profit-driven pressure unduly influencing safety decisions).
• The standard refines requirements for software assurance: Static analysis, dynamic testing, code coverage, test coverage, structured verification are emphasized — even for lower SIL levels.
• Flexibility is improved: Support for iterative development cycles, modeling (e.g., UML/SysML), configuration via application data rather than monolithic builds, and even accommodations for toolchains, pre-existing components, and modern languages. That can help align railway software processes with agile or modern software development practices while staying compliant.
• For software customized via “application data” (e.g., configuration of generic platforms), new artefacts such as “application integration test specification”, “application release note”, failure analysis (instead of risk analysis), and application release documentation are mandated.
• Deployment and maintenance are also addressed: Changes must be assessed with clear change control; assessors must produce “software assessment reports” for changes in SIL 1–4 systems. 

In short: EN 50716 brings modern software engineering rigor — traceability, full lifecycle integrity, suitability for modern development methods — while unifying and simplifying the certification landscape for railway software.

What EN 50716 enables for Rail Digitization

Meeting Industry Digitalization Head-On

• As rail becomes more software-defined (e.g. signalling, predictive maintenance, remote diagnostics, onboard computing platforms, IoT integration, predictive analytics), reliability and safety demands scale rapidly. EN 50716 provides a consistent framework to build these systems across the railway ecosystem.
• By accommodating non-safety-critical software under “basic integrity” and enabling modern practices (iterative/development, modular configuration, updated toolchains and languages), EN 50716 reduces friction for bringing new digital features — even for low-risk components — into certified systems.

Reducing Complexity & Certification Overhead

• For OEMs and suppliers previously juggling both EN 50128 and EN 50657 (depending on whether software was for trackside signalling or rolling stock), now only one standard needs to be addressed. That simplifies certification, project planning, audits, maintenance.
• The unified standard fosters reuse: Generic software stacks, platform components, communication middleware, even hypervisor-based virtualization stacks can be developed once, certified, and reused across domains — lowering cost and time to market.

Supporting modern Software Methods without sacrificing Safety

• The inclusion of iterative development, modeling, support for modern languages (the standard’s language requirements are now defined by properties: modularity, commenting support, strict typing, testability rather than specific “allowed languages”) — allows for adoption of modern software engineering best practices (e.g. agile, model-based design, newer languages such as Rust or modern C++ versions) while staying compliant.
• This balance — safety + agility — is critical to enable rail systems to evolve rapidly (e.g. supporting advanced functions, AI/ML, predictive maintenance, data-driven operations) without being locked into rigid waterfall-only processes. 

Why SYSGO is well-positioned

If you are an OEM, integrator or decision-maker evaluating platforms for future-proof rail software, the status of PikeOS (by SYSGO) in light of EN 50716 is particularly relevant:

• SYSGO has decades of experience in safety-critical RTOS and hypervisor development. PikeOS has long been certified for railway norms — EN 50128 (up to SIL 4) and EN 50657 — positioning it as a proven platform for signalling and rolling stock control when those were the prevailing standards.
• Thanks to its pre-certified status, many of the foundational artefacts (documentation, architecture, safety case, certification kits) are already in place. This reduces the incremental burden of adapting to EN 50716 — especially when building new or upgrading systems.
• PikeOS supports mixed-criticality systems — multiple OSes or applications, each with different criticality levels — on a single hardware platform. That makes it ideal for modern railway applications combining hard-real-time safety-critical tasks (train control, signalling) with less-critical tasks (passenger information, diagnostics, predictive maintenance, connectivity), even on the same system.
• From a security standpoint, SYSGO offers the right solutions against modern threats: PikeOS achieved security certification under the widely recognized Common Criteria (CC) at level EAL 5+ — a strong commitment that the platform addresses not just functional safety but also cybersecurity aspects.
• SYSGO has a proven track record across diverse domains: Historically aerospace, automotive, industrial automation. This cross-industry expertise positions them well to support customers building next-gen rail systems under EN 50716, where software platforms may require both safety and security compliance, and where mixed-criticality and modular design become the norm. 

In short: For rail OEMs and integrators looking for a future-proof, certified, mixed-criticality software platform that aligns with EN 50716 — reusing existing certification investments — PikeOS offers a compelling base.

Use Cases: How EN 50716 and SYSGO bring Value in real Projects

Here are some concrete scenarios where the new standard, combined with SYSGO’s technology, deliver real advantages:

• Modern Signalling Systems Upgrade: A railway operator wants to upgrade legacy interlocking and signalling systems on a line. Using a platform based on PikeOS, the supplier can certify the new control software according to EN 50716, while also adding new features — e.g. remote monitoring, diagnostics, predictive maintenance, even over-the-air updates — in parallel, as separate partitions.
• Rolling Stock (Trains) with Mixed Functions: On a modern train, you have hard-real-time safety-critical control (brakes, door control, train integrity), but also non-safety services: Passenger infotainment, passenger information systems, predictive maintenance, Wi-Fi, connectivity, sensors for condition monitoring. With EN 50716’s unified scope and PikeOS’s mixed-criticality separation, you can run all on one hardware platform, while certifying only what’s safety-relevant and still enabling innovation and service features without full re-certification.
• Networked / Cloud-enabled Rail Infrastructure: As rail becomes more connected (edge/cloud backends for predictive maintenance, remote diagnostics, fleet management), EN 50716’s support for modern development and deployment lifecycles — and SYSGO’s portfolio including connectivity platforms — enables safe, secure, maintainable integration of networked components (on-board, wayside, cloud), while preserving safety and security boundaries.
• Greenfield and Retrofit Projects: Whether building next-gen trains or retrofitting older fleets/infrastructure, the unified standard allows the supplier to standardize on one certification process. For retrofit: eEen upgrades or maintenance can be assessed under the standard (for major modifications in full, minor changes under maintenance guidelines) — making modernization more manageable and traceable. 

Why EN 50716 and PikeOS is a Game-Changer

• Faster Innovation in Rail Software: The combination of rigorous safety processes with support for iterative development and modular configurations could lead to shorter development cycles, easier integration of new features (connectivity, diagnostics, AI-based predictive maintenance), and faster time-to-market — all without compromising safety.
• Lower Total Cost of Ownership: By using mixed-criticality platforms and reusing certified components (OS / hypervisor / partitioning), OEMs and integrators can reduce certification effort for each new product — avoiding redundant work, simplifying maintenance, and making upgrades less painful.
• Bridging Safety and Cybersecurity: As rail systems become more connected, cybersecurity becomes as critical as functional safety. Platforms like PikeOS (safety-certified + CC-certified) provide a solid foundation to build safety-critical, networked, secure rail applications.
• Support for Digital Rail Transformation: EN 50716’s flexibility makes it a good fit for future railway trends: predictive maintenance, diagnostics, rolling-stock health monitoring, cloud-connected infrastructure, AI/ML-based analytics — while ensuring that the safety-critical core remains robust, verifiable, and certifiable.
• Consolidation of Suppliers and Simplified Ecosystem: With a common standard across signaling, on-board systems, and infrastructure, suppliers and OEMs can unify their toolchains, processes, and platforms — fostering economies of scale and reducing fragmentation in the rail software market.

What OEMs, Engineers and Decision-Makers should do

• Start early with EN 50716 compliance: If you are planning new software components — even for “non-safety” functionality — consider specifying them under EN 50716 from the start (e.g. as “basic integrity”). That will future-proof your software and avoid costly rewrites.
• Favor pre-certified platforms where possible: Using a platform like PikeOS, already certified under EN 50128/50657, gives you a running start. It means fewer re-certification gaps, reuse of existing documentation (certification kits), and lower risk.
• Adopt mixed-criticality architecture: Separate safety-critical and non-critical functions via partitioning (hypervisor/RTOS-based). That way, you can run services, connectivity, diagnostics alongside safety-critical code — but certify only what needs certifying.
• Adapt development workflows: EN 50716 supports modern practices (iterative development, modeling, modern languages). Update your toolchains, processes, and documentation to leverage these advantages — but keep traceability, test coverage, verification processes in place.
• Plan for maintenance and evolution: The standard addresses deployment, maintenance, change control. Treat updates, patches, new features not as ad-hoc, but as lifecycle-managed changes, with safety assessments, release notes, and documentation.

Conclusion

EN 50716:2023 marks a turning point — from a fragmented, dual-standard world to a unified, flexible, lifecycle-oriented framework for railway software. It aligns the rigor of functional safety with the realities of modern software engineering. For railway OEMs and integrators, this is a chance to build the next generation of rail systems — safer, more reliable, yet innovative, connected, and future-ready.

SYSGO, with its long history of safety-certified RTOS and hypervisor technology, mixed-criticality support, and strong security credentials (Common Criteria), sits right at the intersection of “safe rail heritage” and “digital rail future.” For anyone in the rail market — from engineering leads to CTOs and project decision-makers — this makes PikeOS + EN 50716 an option worth seriously evaluating for any new or upgraded rail software project.