Choosing an OS for Functional Safety: Buy Certified or Qualify Your Own?

2025-07-31

 functional safety 

Choosing an OS for Functional Safety: Buy Certified or Qualify Your Own?

A Risknowlogy Guide to Making the Right Decision Under IEC 61508 & ISO 26262

Summary

Choosing your operating system is a certification-critical decision that locks in architecture, evidence, cost, and schedule risk. Use this guide to decide between a pre-certified RTOS and qualifying your own, with practical options and what each means for your safety case.

Key Points

  • Certified RTOS shortens timelines and reduces safety-case burden with TÜV/exida validation and safety manuals.
  • Custom/Uncertified OS offers control and low license cost, but you must produce all safety evidence and qualify tools.
  • For SIL 2+ or tight schedules, a certified OS is usually the lower-risk path; for non-safety workloads or SIL 1, custom can fit.
  • Partitioning and toolchain qualification are non-negotiable in mixed-criticality designs.

Introduction

At Risknowlogy, we see teams lose months retrofitting an OS that wasn’t validated early enough. Your OS choice affects determinism, freedom-from-interference, safety evidence, and audit readiness. This article summarizes current options and the implications of each under IEC 61508 and ISO 26262 for industrial, medical, rail, and automotive systems.

The Two Paths: Certified vs. Custom OS

Option 1: Use a Certified RTOS

Pre-certified systems arrive with validated safety manuals, usage restrictions, and toolchain guidance—dramatically reducing your effort to achieve SIL/ASIL.

Representative Certified / Safety-Ready OS Options (2025)
OS / Platform Certifications / Status Max SIL/ASIL Typical Domains & Notes
QNX OS for Safety 8.0 IEC 61508, ISO 26262, IEC 62304 (SEooC) SIL 3 / ASIL D Industrial, automotive, medical; mature partitioning and evidence set.
VxWorks Cert Edition IEC 61508, ISO 26262, IEC 62304; evidence for DO-178C use cases SIL 3 / ASIL D Industrial, rail, medical; strong ecosystem and support.
Green Hills INTEGRITY RTOS IEC 61508 (SIL3), EN 50128/50657; ISO 26262 support available SIL 3 Industrial/rail/auto; separate avionics line is INTEGRITY-178 (DO-178C).
INTEGRITY-178 tuMP (avionics) DO-178C DAL A, CAST-32A multicore DAL A Aerospace only; not positioned for IEC 61508/ISO 26262 projects.
SEGGER embOS-Safe IEC 61508 SIL 3, IEC 62304 Class C, ISO 26262 ASIL D SIL 3 / ASIL D Lightweight embedded & medical; compact footprint and clear manuals.
SafeRTOS IEC 61508 SIL 3, ISO 26262 ASIL D; available on RISC-V MiV_RV32 SIL 3 / ASIL D Compact devices/sensors; certified path on open architectures.
Micrium “Flexible Safety RTOS” (µC/OS lineage) Options for ISO 26262, IEC 61508, IEC 62304, EN 50128 Up to SIL 3 / ASIL D Embedded controllers; verify the domain-specific cert bundle.
Red Hat In-Vehicle OS (Linux) ISO 26262 ASIL-B (SEooC) certified; mixed-criticality milestones ASIL B SDV platforms & domain controllers; requires careful partitioning.
AUTOSAR Classic OS (Vector MICROSAR OS, ETAS RTA-OS) ISO 26262 ASIL D (product-specific) ASIL D Automotive ECUs; domain-specific OS for Classic stack.
Zephyr Safety Profile Safety release targeting IEC 61508 SIL 3; certification in progress Target SIL 3 Open-source RTOS with formal safety track—assess maturity vs. schedule.

Updates worth noting: Red Hat’s in-vehicle OS achieved ASIL-B (SEooC) certification in 2025; SafeRTOS availability on RISC-V (MiV_RV32) broadens certified options for open hardware; embOS-Safe covers both industrial and medical (IEC 62304 Class C).

Option 2: Qualify Your Own OS

Common bases: open source (Linux, Zephyr, RTEMS, FreeRTOS), internal/custom RTOS, or legacy platforms.

  • Advantages: lower license cost, full configurability, easier integration of non-safety workloads.
  • Challenges: you must build the entire evidence set (architecture, coverage, analyses), accept longer timelines, and qualify the toolchain.
  • Note: FreeRTOS itself isn’t safety-certified; SafeRTOS (a commercial derivative) is.

IEC 61508’s Five Non-Negotiables for OS Suitability

Requirement What You Must Demonstrate
Determinism Guaranteed, bounded response times (WCET) for all safety-related tasks.
Fault Containment Isolation of memory, tasks, and communication via MPU/MMU/hypervisor; freedom-from-interference.
Safety Evidence Architecture, assumptions of use, bidirectional traceability, test coverage, FMEA/FMEDA and fault analysis.
Toolchain Qualification Proven-in-use or qualified tools per IEC 61508-3 / ISO 26262-8; certified toolchains reduce effort.
Correct Use of OS Operate within the safety manual’s scope (or define justified rules and verification if you deviate).

Cost Comparison: Licensing vs. Qualification Effort

Factor Certified OS Custom / Uncertified OS
License Fees €20k–€100k+ Free or low
Safety Documentation Provided (manuals, coverage, assumptions) Created from scratch
Audit Readiness High Medium–Low (depends on rigor)
Certification Timeline Weeks 4–6+ months
Toolchain Risk Managed/qualified You must qualify/justify

Field lesson: Teams qualifying Linux or community RTOSs to SIL 2+ often add months of rework—usually around partitioning, toolchain qualification, and evidence gaps.

Risknowlogy Recommendations

Choose a Certified OS if…

  • You run SIL 2+ safety functions on the OS.
  • You want a faster path, lower evidence burden, and strong audit posture.
  • You lack internal capacity for tool/OS qualification.

Consider Qualifying Your Own if…

  • The OS runs only non-safety functions (HMI, logging, analytics).
  • You have mature V&V and a seasoned safety leadership team.
  • You target SIL 1 or reuse a well-characterized legacy stack.

2024–2025 Highlights (What Changed)

  • QNX OS for Safety 8.0 reaffirmed top-tier certifications (SIL3/ASIL-D/62304) with SEooC positioning.
  • Red Hat In-Vehicle OS achieved ISO 26262 ASIL-B (SEooC) and mixed-criticality milestones for SDV use cases.
  • SafeRTOS broadened reach with RISC-V (MiV_RV32) availability while retaining SIL3/ASIL-D credentials.
  • Zephyr Safety Profile continues toward IEC 61508 SIL3; confirm maturity and scope at selection time.

Step-by-Step: Build a Compliant OS Strategy

  1. Engage Risknowlogy early to align OS choice with the Safety Concept and SIF allocation.
  2. Partition mixed criticality (MMU/MPU or hypervisor) and prove freedom-from-interference.
  3. Lock your toolchain (prefer certified compilers/IDEs) before design freeze.
  4. Automate evidence from day 1 (requirements ↔ tests ↔ coverage; fault injection where applicable).
  5. Follow the Safety Manual meticulously; document any deviations with analysis and tests.

Further Reading & References

  • QNX OS for Safety (BlackBerry QNX) – certifications & product pages.
  • Wind River VxWorks Cert Edition – safety documentation overview.
  • Green Hills INTEGRITY – industrial/rail/auto certifications; INTEGRITY-178 for avionics.
  • SEGGER embOS-Safe – IEC 61508 SIL3 and IEC 62304 Class C.
  • SafeRTOS – SIL3/ASIL-D; availability on RISC-V MiV_RV32.
  • Red Hat In-Vehicle OS – ISO 26262 ASIL-B (SEooC) certification announcements.
  • Vector MICROSAR OS / ETAS RTA-OS – AUTOSAR Classic OS, ASIL-D.
  • Zephyr Project – Safety Profile status and roadmap.
  • IEC 61508 and ISO 26262 standards (publisher sites) for normative requirements.

Back to all news

We use cookies
Cookie preferences
Below you may find information about the purposes for which we and our partners use cookies and process data. You can exercise your preferences for processing, and/or see details on our partners' websites.
Analytical cookies Disable all
Functional cookies
Other cookies
We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. Learn more about our cookie policy.
Accept all Decline all Change preferences
Cookies