EN 50129: Railway Signalling Hardware Safety Standard Explained (2026)
EN 50129 explained: safety-related electronic systems for railway signalling — THR, FMEDA, SIL allocation and Safety Case structure. How it works with EN 50126 and EN 50128.
Quick Answer — EN 50129
EN 50129 is the CENELEC standard that defines the safety requirements for safety-related electronic systems used in railway signalling — including interlockings, trackside controllers, level crossing systems, and on-board safety computers. It sits alongside EN 50126 (RAMS lifecycle) and EN 50128 (safety software) as the third pillar of the CENELEC railway safety framework. Its central requirement is the production of a formal Safety Case — a structured argument, supported by evidence, that a system is acceptably safe to place into service. EN 50129 was first published in 2003 and most recently updated in 2018.
What is EN 50129?
EN 50129 — full title: Railway applications — Communication, signalling and processing systems — Safety related electronic systems for signalling — is the CENELEC standard that governs the design, analysis, and approval of electronic hardware used in safety-critical railway signalling applications.
Where EN 50126 addresses the overall system RAMS lifecycle and EN 50128 covers safety-related software, EN 50129 focuses specifically on the electronic hardware level: circuit boards, processor units, input/output modules, power supplies, and the complete electronic assemblies that form the core of modern signalling systems. Together, these three standards form an integrated framework that covers every technical layer of a railway safety system.
EN 50129 is widely referenced in procurement specifications across Europe and beyond, and compliance with it — or with its international equivalent, IEC 62425 — is typically required for safety authorisation by National Safety Authorities (NSAs) for signalling systems on the trans-European rail network.
EN 50129 Within the CENELEC Safety Standards Framework
Understanding EN 50129 requires understanding how the three CENELEC railway safety standards relate to each other:
| Standard | Scope | Primary Output | Applies To |
|---|---|---|---|
| EN 50126 | RAMS lifecycle — system level | RAMS Plan, Hazard Log, SIL allocation | Whole system / project |
| EN 50128 | Safety-related software | Software Safety Case, SSIL compliance | All safety-related software |
| EN 50129 | Safety-related electronic hardware | Hardware Safety Case, FMEDA, THR | Signalling hardware & assemblies |
The three standards are intentionally complementary. EN 50126 sets the system-level RAMS targets and SIL requirements. EN 50129 then takes the SIL allocation for hardware subsystems and defines how to demonstrate — through quantitative analysis and structured evidence — that the hardware meets that SIL. EN 50128 does the same for software. A complete signalling system safety case typically references all three simultaneously.
Key Concepts in EN 50129
Tolerable Hazard Rate (THR)
The Tolerable Hazard Rate (THR) is the maximum permissible rate of dangerous failures per hour that a safety function may exhibit. It is the central quantitative requirement of EN 50129 and is directly derived from the SIL assigned to each safety function under EN 50126. Each SIL level corresponds to a range of THR values:
| SIL Level | THR Range (dangerous failures per hour) | Typical Application |
|---|---|---|
| SIL 4 | < 10⁻⁹ per hour (less than 1 in a billion per hour) | Automatic Train Protection (ATP) for highest-speed lines |
| SIL 3 | 10⁻⁹ – 10⁻⁸ per hour | Computer-Based Interlocking (CBI), ETCS on-board units |
| SIL 2 | 10⁻⁸ – 10⁻⁷ per hour | Level crossing protection, points machine control |
| SIL 1 | 10⁻⁷ – 10⁻⁶ per hour | Non-vital signalling aids, monitoring systems |
FMEDA — Failure Modes, Effects and Diagnostic Analysis
FMEDA is the core analytical technique used in EN 50129 to quantify the failure behaviour of electronic hardware. Unlike a standard FMEA (which identifies failure modes qualitatively), FMEDA adds failure rate data and diagnostic coverage information to calculate the precise rates of safe failures, dangerous detected failures, and dangerous undetected failures for each component.
The key outputs of an FMEDA are:
- λDD (Dangerous Detected failure rate) — failures that are hazardous but caught by the system’s own diagnostics
- λDU (Dangerous Undetected failure rate) — failures that are hazardous and not caught by diagnostics — the primary driver of THR
- DC (Diagnostic Coverage) — the fraction of dangerous failures detected by the system: DC = λDD / (λDD + λDU)
- SFF (Safe Failure Fraction) — the proportion of all failures that are either safe or dangerous-detected: SFF = (λS + λDD) / λtotal
EN 50129 uses SFF as a key metric in determining the hardware architecture required to achieve each SIL level — higher SFF requirements drive the use of redundant or diverse hardware architectures.
Hardware Fault Tolerance (HFT)
Hardware Fault Tolerance defines how many hardware faults a system can tolerate without loss of the safety function. EN 50129 links HFT to both the required SIL and the SFF of the hardware:
| HFT | Architecture | Description | Max SIL (with high SFF) |
|---|---|---|---|
| 0 | 1oo1 (single channel) | Single processor — fails to safe on any detected fault | SIL 2 |
| 1 | 1oo2 or 2oo3 | Dual or triple redundant — one fault tolerated without safety impact | SIL 3–4 |
| 2 | 2oo3D or higher | Highly redundant — two concurrent faults tolerated | SIL 4 |
The EN 50129 Safety Case Structure
The central deliverable of EN 50129 is the Hardware Safety Case — a structured document that presents the argument and evidence that a specific hardware item meets its THR and is therefore acceptable for deployment in a given SIL context. EN 50129 defines a specific structure for the Safety Case, comprising three main sections:
| Section | Content |
|---|---|
| Part 1: Definition of the system | System description, operational context, interfaces, constraints, and the specific safety functions being claimed. Links to the EN 50126 system-level hazard log and SIL allocation. |
| Part 2: Quality management | Evidence that the development process was conducted under an appropriate quality management system (typically EN ISO 9001 or equivalent). Covers design reviews, configuration management, and traceability. |
| Part 3: Functional and technical safety | The core technical evidence: FMEDA results showing λDU meets THR, hardware architecture description (HFT), DC calculations, environmental qualification, and test reports. |
| Safety Case Argument | A structured safety argument (often presented as a Goal Structuring Notation (GSN) diagram) linking the safety claims, evidence from Parts 1–3, and the conclusion that the THR is met. |
EN 50129 vs IEC 61508: What is the Difference?
IEC 61508 is the general international functional safety standard that applies across many industries (process, machinery, medical devices). EN 50129 is a sector-specific derivative of IEC 61508, tailored to the specific characteristics of railway signalling. The key differences are:
| Feature | EN 50129 | IEC 61508 |
|---|---|---|
| Sector | Railway signalling only | All safety-related electronic systems (cross-industry) |
| Safety case structure | Prescriptive three-part structure defined in the standard | More flexible — structure determined by project |
| Relationship to RAMS | Explicitly links to EN 50126 for SIL allocation and hazard log | Self-contained — includes its own risk assessment framework |
| Legal status (EU rail) | Referenced in TSIs — effectively mandatory for EU rail authorisation | Not directly referenced in EU railway legislation |
For railway signalling projects in Europe, EN 50129 is always preferred over IEC 61508, as NSAs expect the railway-specific standard. IEC 61508 may be used as a supplementary reference for novel technologies not addressed by EN 50129, but a direct claim of compliance with IEC 61508 alone is unlikely to satisfy an NSA for a signalling system.
How EN 50129 is Applied in Practice
In a typical signalling project, the EN 50129 process runs in parallel with the EN 50126 RAMS lifecycle. The typical workflow is as follows:
| Step | Activity | EN 50129 Link |
|---|---|---|
| 1 | Receive SIL allocation from EN 50126 RAMS Plan | THR target derived from SIL |
| 2 | Define hardware architecture (HFT, redundancy) | Safety Case Part 3 — architecture section |
| 3 | Conduct FMEDA on all safety-related hardware items | Calculate λDU, DC, SFF — compare to THR target |
| 4 | Environmental qualification testing | Temperature, vibration, EMC per EN 50121 |
| 5 | Compile Hardware Safety Case (Parts 1–3) | Full EN 50129 documentation package |
| 6 | Independent Safety Assessment (ISA) review | ISA statement — required for SIL 2 and above |
| 7 | Submit to NSA / NoBo for safety authorisation | EN 50129 Safety Case forms part of overall system safety case |
Frequently Asked Questions (FAQ)
RailNewsTech is a railway technology-focused editorial profile covering signaling systems, smart mobility solutions and digital railway transformation across global transport networks.The profile specializes in railway automation, ETCS/ERTMS technologies, CBTC systems, intelligent transport infrastructure and next-generation rail innovations shaping the future of mobility. Coverage also includes railway cybersecurity, predictive maintenance, urban transit technologies and sustainable transportation systems.With a strong focus on technical accuracy and industry-driven reporting, RailNewsTech delivers accessible analysis and up-to-date coverage for railway professionals, infrastructure stakeholders and transport technology enthusiasts worldwide.