Build Railway Applications to EN 50716 with Model-Based Design
By Mohammad Abu-Alqumsan and Tom Erkkinen, MathWorks
The publication of EN 50716:2023 by CENELEC provides the railway industry with a single, unified European standard governing software development for both trackside and onboard rolling stock applications. This standard, released in November 2023, establishes consolidated requirements for safety‑critical and operational software used across modern railway systems.
Prior to EN 50716, these domains were covered separately by EN 50128 (for communication, control, and protection systems) and EN 50657 (for rolling stock software). EN 50716 explicitly supersedes and replaces the earlier standards, bringing consistency, reducing redundancy, and aligning processes across railway applications.
According to EN 50716, the required software integrity level is determined and assessed at the system level, based on the system safety integrity level (SIL) and the risk associated with the software’s use within the system (EN 50126). Software integrity is specified as one of five defined levels ranging from Basic Integrity (lowest) to SIL 4 (highest).
Why Model-Based Design Is an Ideal Choice for EN 50716 Compliance
While maintaining continuity with EN 50128 and EN 50657, EN 50716 introduces elements that reflect substantial modernization of software engineering expectations in the rail sector:
- An expanded role for simulation models in development
- Elevation of formal methods to highly recommended (HR) for all SIL levels (not just SIL 3 and SIL 4 as in earlier standards)
- Explicit considerations for AI/machine learning
- Clearer alignment with system and cybersecurity domains
These areas are fully mastered by Model-Based Design. Model-Based Design inherently supports EN 50716 intent. It treats models as primary engineering artifacts, supporting requirements capture and architecture, component design, code generation, verification, integration, and maintenance. Model-Based Design improves communication, traceability, repeatability, and evidence creation across the system and software lifecycle while enabling the practical adoption of formal methods.
IEC Certification Kit (for IEC 61508, EN 50716, and related standards) details this support and provides tool certificates and assessment reports from the international certification authority TÜV SÜD.
How Model-Based Design Supports EN 50716
EN 50716 defines a rigorous process for structured, traceable, and verifiable development. Model-Based Design lets organizations satisfy the standard’s recommendations using a SIL-tailored, end-to-end reference workflow that covers the whole system as well as software development, verification, and validation activities.
Figure 2. System and software development and verification processes using Simulink. While this article focuses on software development, you can use model-based systems engineering with System Composer and Simulink for system-level activities (EN 50126) as shown at the left side of the workflow diagram.
In this article, the focus is on:
- Software requirements
- Architecture and design
- Component design
- Component implementation and testing
- Integration and testing
- Software deployment and maintenance
- Software assurance
Software Requirements
Using Requirements Toolbox™ you can define textual requirements in a structured manner and augment natural language requirements with simulation models. This approach enables clear and unambiguous representations of functional, interface, and safety requirements.
By ensuring robust and bidirectional traceability between requirements and models, model elements and source code, and corresponding test cases, organizations can meet EN 50716’s demands for transparent documentation and rigorous verification throughout the software lifecycle.
Figure 3. Requirements specification and traceability management with Requirements Toolbox.
Architecture and Design
Model-Based Design supports hierarchical architectural modeling, enabling teams to decompose complex software into structured layers where behaviors and interfaces can be validated early by the modeling tool and through automated consistency checks. This structured approach makes the allocation of requirements to components inherently traceable and analyzable, ensuring that each requirement is linked to a well-defined architectural element (e.g., software component) and can be systematically verified through downstream testing.
Figure 4. Modeling software architectural designs with block, activity, and sequence diagrams using System Composer.
Component Design
You can model software component designs using state machines (Stateflow®), signal-flow diagrams (Simulink®), MATLAB® code, or a hybrid approach combining Simulink, Stateflow, and MATLAB. Model-Based Design allows designers to precisely specify system transitions, event handling, and deterministic execution behavior.
Model-Based Design also supports static analysis at the model level, where you can use Simulink Check™ capabilities to verify models against established modeling guidelines. In parallel, you can perform model simulations to uncover existing logical errors, incorrect assumptions, and interface mismatches. Together, simulation and static model analysis expose issues as early as their introduction and long before software implementation or hardware prototypes are available, significantly reducing downstream rework and improving development efficiency.
Figure 5. Model-Based Design options using a data-flow diagram (Simulink), a state machine (Stateflow), and MATLAB code.
Further, with physical domain modeling in Simulink and Simscape™, you can perform closed-loop simulation of the plant dynamics to appropriately adjust or tune the software component models. During later integration activities, closed-loop simulations let you capture engine, braking, and environmental impacts on the complete system.
Component Implementation and Testing
It is straightforward to generate C/C++ implementation code from detailed component designs in Simulink using Embedded Coder®, ensuring that the model’s discrete logic and behavior are carried through to production software. This automatic code generation aligns with T3 tool expectations in EN 50716, reducing manual coding effort and eliminating many classes of hand-coding errors while producing deterministic, analyzable implementations suitable for safety-critical software.
Figure 6. Side-by-side view of a model and generated code with end-to-end traceability.
Complementing this workflow, model-in-the-loop (MIL), software-in-the-loop (SIL), and processor-in-the-loop (PIL) testing provide a scalable verification strategy that starts with functional verification at the model level, advances to execution of generated code in a simulated environment, and concludes with running the code on the target processor. Transitioning between MIL, SIL, or PIL requires minimal effort, supports a high degree of test case reuse, and contributes to confidence in correctness and consistency across the full development lifecycle. Lastly, hardware-in-the-loop (HIL) testing can follow the production hardware implementation by executing your closed-loop plant model on real-time hardware.
To this end, you can use Simulink Test™ to manage and orchestrate all testing modes within a unified framework, enabling a consistent approach to test definition, execution, and reporting across MIL, SIL, PIL, and HIL. In addition, Simulink Coverage™ lets you assess structural coverage as objective evidence of test completion through statement, branch, and MC/DC metrics.
Integration and Testing
At the software architecture level, models orchestrate integration scenarios by defining how components interact through well-structured interfaces, execution flows, and communication patterns (using sequence and activity diagrams). Architecture-level simulations allow teams to validate integration behavior early by exercising the complete application software structure under realistic timing, event handling, and data exchange conditions. The simulation-driven approach helps uncover architectural defects, interface mismatches, and integration risks early, when design changes are far less costly.
Automated test case generation and execution further strengthen this architectural validation. By deriving tests directly from requirements (using specification models) and architecture-level behavior, teams can achieve consistent coverage and enforce traceability, which aligns with EN 50716’s emphasis on systematic verification.
Software Assurance
End-to-end traceability—from requirements to architectural and detailed design models to generated code to verification tests and results—provides a structured chain of evidence that supports rigorous validation. By ensuring that every requirement is explicitly linked to the corresponding model elements, implementation artifacts, and test results, development teams can demonstrate a clear, auditable rationale for how system-level intents are realized in software behavior. This traceability is essential for safety-critical domains because it enables systematic impact analysis, consistent verification, and transparent justification of design decisions across the full software lifecycle, including controlled updates, change impact analysis, and long-term maintainability.
Formal Methods
Under EN 50716, formal methods are highly recommended for SIL 1 through SIL 4 software. Simulink Design Verifier™ lets you apply formal methods at the model level to strengthen software assurance by mathematically verifying key properties such as safety invariants, absence of run-time errors, correctness of state transitions, and adherence to architectural contracts.
These proofs complement simulation and testing by providing guarantees that cannot be achieved through testing alone, thereby increasing confidence in the correctness and robustness of the component design before code is generated. For instance, in a train control mode logic application, it is possible with formal methods to mathematically prove that unsafe mode combinations, such as traction being enabled while doors are released or braking supervision being bypassed during movement, are unreachable under all valid operating conditions, including fault scenarios. Similarly, formal analysis of cruise control logic can prove that traction commands always respect speed limits and safety constraints and are reliably inhibited whenever higher‑priority conditions such as braking, loss of supervision, or mode transitions occur.
Figure 7. Simulink Design Verifier lets you apply formal methods at the model level to prove safety properties. This example shows formal property proving of safe Movement Authority (MA) generation and transmission by the Radio Block Centre (RBC).
With Polyspace® products, similar assessments of quality, robustness, and, more importantly, run-time errors can be determined on both generated and handwritten code.
Support Tools and Languages
EN 50716 establishes explicit requirements for the use of support tools and languages in railway software development, recognizing that tools can influence the safety and integrity of the resulting software. The norm requires that development, verification, and code generation tools be well integrated and that tool selection and use be justified and controlled.
It also categorizes tools according to tool potential impact on executable software into T1, T2, and T3 classes. Tools that can directly or indirectly introduce faults (i.e., T2 and T3 tools) must be supported by documented evidence proportional to the software integrity level (Basic Integrity to SIL 4).
IEC Certification Kit (for IEC 61508, EN 50716, and related standards) directly supports compliance with these requirements by providing tool classification and prequalification artifacts, TÜV SÜD certificates and assessment reports, validation test suites, and templates that can be adapted to your project’s specific tool usage. As a result, the effort needed to justify and document the use of Model-Based Design development, code generation, and verification tools under EN 50716 is significantly reduced.
IEC Certification Kit provides a mapping document from EN 50716 methods and techniques to use cases of Model-Based Design. The table below is taken from this document.
Table A.5 – Verification and Testing
| Technique/Measure | Applicable Model-Based Design Tools and Processes | Comments |
|---|---|---|
| 1. Formal Proof | Simulink – Model Verification block library | Model Verification blocks can be used to formalize software safety requirements and other model properties. |
| Simulink Design Verifier – Property proving, design error detection | Property proving can be used to verify model properties using formal verification techniques. Design error detection can analyze a model to detect the following common design errors: integer overflow, division by zero, dead logic, and assertion violations. | |
| Polyspace Code Prover and Polyspace Code Prover Server – Code verification | Run-time error detection can analyze C or C++ code to identify software errors that might occur during run time. Polyspace Code Prover and Polyspace Code Prover Server provides code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code. Polyspace Code Prover and Polyspace Code Prover Server use formal methods-based abstract interpretation techniques to verify code. | |
| 2. Static Analysis | Simulink Check – Model Advisor Checks | Model Advisor can be used to verify compliance to the modeling standard. See Table A.19 (2) Checklists. |
Alignment of Functional Safety and Cybersecurity
EN 50716 recognizes the possible complex interactions between cybersecurity and functional safety domains in connected railway systems. For example, cybersecurity threats can directly impact functional safety, and cybersecurity measures can have detrimental consequences on safety. As such, EN 50716 recommends balancing safety and security measures and lists IEC 62443 and CLC/TS 50701 as appropriate standards to address cybersecurity.
Model-Based Design and model-based systems engineering using Simulink and System Composer™ provide a practical way to align the two domains through a shared, executable system model across the lifecycle. Safety-related functions, system interfaces, and operational assumptions can be modeled alongside cybersecurity assets and potential cybersecurity attack surfaces. The shared model enables early identification of interactions, supports combined or sequential hazard and threat analysis, and allows engineers to simulate malicious conditions to assess their impact on safety.
At the software level, safety and security functions, such as monitoring, plausibility checks, message validation, authentication logic, and anomaly detection, can be co-developed and evaluated within the same architectural context. Continuous verification using static model and code analysis, simulation, and in-the-loop testing helps ensure that both safety and cybersecurity requirements are met and remain aligned as the design evolves. Furthermore, integrated traceability from requirements to models and test results improves cross-domain collaboration between system, safety, and security engineering teams.
Use of AI and Machine Learning
Model-Based Design addresses AI and machine learning challenges identified in EN 50716 by enabling system-level verification and evidence generation that mitigate limited machine learning structural visibility. Integrating machine learning components into executable Simulink models supports requirements-based and scenario-based testing, scenario coverage analysis, and closed-loop validation across defined operational design domains. Further, simulation enables exploration of operating conditions beyond the training data, which in turn leads to confidence in data completeness. To specifically address robustness, systematic perturbation analysis and fault injection testing with Simulink Fault Analyzer™ support assessment of adversarial inputs and distributional shifts.
Conclusion
The integration of models, code generation, static model and code analysis, testing with coverage, automated test case generation, and formal methods forms a comprehensive approach to meeting the demanding requirements of EN 50716 for railway software development. By ensuring end-to-end traceability and leveraging advanced support tools, development teams can deliver robust, safe, and verifiable software solutions. This structured methodology not only facilitates compliance but also enhances long-term maintainability and transparency, ultimately contributing to the reliability and safety of railway systems.
Published 2026
