Choosing an OS for Functional Safety: Buy Certified or Qualify Your Own?

31 July 2025 · Dr. Michel Houtermans · 5 min read
functional safety

Choosing your operating system is a certification-critical decision that locks in architecture, evidence, cost, and schedule risk. This guide helps you decide between a pre-certified RTOS and qualifying your own — with practical options and what each means for your safety case under IEC 61508 and ISO 26262.

Why the OS choice matters

At Risknowlogy, we see teams lose months retrofitting an OS that wasn't validated early enough. Your OS choice affects determinism, freedom-from-interference, safety evidence, and audit readiness. This article summarises current options and the implications of each for industrial, medical, rail, and automotive systems.

The key question is: does your OS come with the safety evidence you need — or will you have to build it yourself?

The two paths: certified vs. custom OS

Option 1: Use a certified RTOS

Pre-certified systems arrive with validated safety manuals, usage restrictions, and toolchain guidance — dramatically reducing your effort to achieve SIL/ASIL.

OS / Platform Certifications / Status Max SIL/ASIL Typical Domains & Notes
QNX OS for Safety 8.0 IEC 61508, ISO 26262, IEC 62304 (SEooC) SIL 3 / ASIL D Industrial, automotive, medical; mature partitioning and evidence set.
VxWorks Cert Edition IEC 61508, ISO 26262, IEC 62304; evidence for DO-178C use cases SIL 3 / ASIL D Industrial, rail, medical; strong ecosystem and support.
Green Hills INTEGRITY RTOS IEC 61508 (SIL3), EN 50128/50657; ISO 26262 support available SIL 3 Industrial/rail/auto; separate avionics line is INTEGRITY-178 (DO-178C).
INTEGRITY-178 tuMP (avionics) DO-178C DAL A, CAST-32A multicore DAL A Aerospace only; not positioned for IEC 61508/ISO 26262 projects.
SEGGER embOS-Safe IEC 61508 SIL 3, IEC 62304 Class C, ISO 26262 ASIL D SIL 3 / ASIL D Lightweight embedded & medical; compact footprint and clear manuals.
SafeRTOS IEC 61508 SIL 3, ISO 26262 ASIL D; available on RISC-V MiV_RV32 SIL 3 / ASIL D Compact devices/sensors; certified path on open architectures.
Micrium "Flexible Safety RTOS" (µC/OS lineage) Options for ISO 26262, IEC 61508, IEC 62304, EN 50128 Up to SIL 3 / ASIL D Embedded controllers; verify the domain-specific cert bundle.
Red Hat In-Vehicle OS (Linux) ISO 26262 ASIL-B (SEooC) certified; mixed-criticality milestones ASIL B SDV platforms & domain controllers; requires careful partitioning.
AUTOSAR Classic OS (Vector MICROSAR OS, ETAS RTA-OS) ISO 26262 ASIL D (product-specific) ASIL D Automotive ECUs; domain-specific OS for Classic stack.
Zephyr Safety Profile Safety release targeting IEC 61508 SIL 3; certification in progress Target SIL 3 Open-source RTOS with formal safety track — assess maturity vs. schedule.

Updates worth noting: Red Hat's in-vehicle OS achieved ASIL-B (SEooC) certification in 2025; SafeRTOS availability on RISC-V (MiV_RV32) broadens certified options for open hardware; embOS-Safe covers both industrial and medical (IEC 62304 Class C).

Option 2: Qualify your own OS

Common bases: open source (Linux, Zephyr, RTEMS, FreeRTOS), internal/custom RTOS, or legacy platforms.

  • Advantages: lower licence cost, full configurability, easier integration of non-safety workloads
  • Challenges: you must build the entire evidence set (architecture, coverage, analyses), accept longer timelines, and qualify the toolchain
  • Note: FreeRTOS itself isn't safety-certified; SafeRTOS (a commercial derivative) is

IEC 61508's five non-negotiables for OS suitability

Requirement What You Must Demonstrate
Determinism Guaranteed, bounded response times (WCET) for all safety-related tasks.
Fault Containment Isolation of memory, tasks, and communication via MPU/MMU/hypervisor; freedom-from-interference.
Safety Evidence Architecture, assumptions of use, bidirectional traceability, test coverage, FMEA/FMEDA and fault analysis.
Toolchain Qualification Proven-in-use or qualified tools per IEC 61508-3 / ISO 26262-8; certified toolchains reduce effort.
Correct Use of OS Operate within the safety manual's scope (or define justified rules and verification if you deviate).

Cost comparison: licensing vs. qualification effort

Factor Certified OS Custom / Uncertified OS
Licence Fees €20k–€100k+ Free or low
Safety Documentation Provided (manuals, coverage, assumptions) Created from scratch
Audit Readiness High Medium–Low (depends on rigour)
Certification Timeline Weeks 4–6+ months
Toolchain Risk Managed/qualified You must qualify/justify

Field lesson: Teams qualifying Linux or community RTOSs to SIL 2+ often add months of rework — usually around partitioning, toolchain qualification, and evidence gaps.

Risknowlogy recommendations

Choose a certified OS if…

  • You run SIL 2+ safety functions on the OS
  • You want a faster path, lower evidence burden, and strong audit posture
  • You lack internal capacity for tool/OS qualification

Consider qualifying your own if…

  • The OS runs only non-safety functions (HMI, logging, analytics)
  • You have mature V&V and a seasoned safety leadership team
  • You target SIL 1 or reuse a well-characterised legacy stack

2024–2025 highlights

  • QNX OS for Safety 8.0 reaffirmed top-tier certifications (SIL3/ASIL-D/62304) with SEooC positioning
  • Red Hat In-Vehicle OS achieved ISO 26262 ASIL-B (SEooC) and mixed-criticality milestones for SDV use cases
  • SafeRTOS broadened reach with RISC-V (MiV_RV32) availability while retaining SIL3/ASIL-D credentials
  • Zephyr Safety Profile continues toward IEC 61508 SIL3; confirm maturity and scope at selection time

Step-by-step: build a compliant OS strategy

  1. Engage Risknowlogy early to align OS choice with the Safety Concept and SIF allocation.
  2. Partition mixed criticality (MMU/MPU or hypervisor) and prove freedom-from-interference.
  3. Lock your toolchain (prefer certified compilers/IDEs) before design freeze.
  4. Automate evidence from day 1 (requirements ↔ tests ↔ coverage; fault injection where applicable).
  5. Follow the Safety Manual meticulously; document any deviations with analysis and tests.
Your OS choice is a certification-critical decision. Get it wrong and you lose months. Get it right and you build on a foundation of proven evidence, determinism, and audit readiness.

Further reading and references

  • QNX OS for Safety (BlackBerry QNX) — certifications & product pages
  • Wind River VxWorks Cert Edition — safety documentation overview
  • Green Hills INTEGRITY — industrial/rail/auto certifications; INTEGRITY-178 for avionics
  • SEGGER embOS-Safe — IEC 61508 SIL3 and IEC 62304 Class C
  • SafeRTOS — SIL3/ASIL-D; availability on RISC-V MiV_RV32
  • Red Hat In-Vehicle OS — ISO 26262 ASIL-B (SEooC) certification announcements
  • Vector MICROSAR OS / ETAS RTA-OS — AUTOSAR Classic OS, ASIL-D
  • Zephyr Project — Safety Profile status and roadmap
  • IEC 61508 and ISO 26262 standards (publisher sites) for normative requirements

Related articles

Go deeper — IEC 61508 Certification Course

Our IEC 61508 course covers software safety techniques, OS qualification, architectural design, and safety case preparation — for engineers making certification-critical decisions.

Explore the course → Ask us a question
← Back to all articles
We use cookies
Cookie preferences
Below you may find information about the purposes for which we and our partners use cookies and process data. You can exercise your preferences for processing, and/or see details on our partners' websites.
Analytical cookies Disable all
Functional cookies
Other cookies
We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. Learn more about our cookie policy.
Accept all Decline all Change preferences
Cookies