Choosing an OS for Functional Safety: Buy Certified or Qualify Your Own?
2025-07-31
Choosing an OS for Functional Safety: Buy Certified or Qualify Your Own?
A Risknowlogy Guide to Making the Right Decision Under IEC 61508 & ISO 26262
Summary
Choosing your operating system is a certification-critical decision that locks in architecture, evidence, cost, and schedule risk. Use this guide to decide between a pre-certified RTOS and qualifying your own, with practical options and what each means for your safety case.
Key Points
- Certified RTOS shortens timelines and reduces safety-case burden with TÜV/exida validation and safety manuals.
- Custom/Uncertified OS offers control and low license cost, but you must produce all safety evidence and qualify tools.
- For SIL 2+ or tight schedules, a certified OS is usually the lower-risk path; for non-safety workloads or SIL 1, custom can fit.
- Partitioning and toolchain qualification are non-negotiable in mixed-criticality designs.
Introduction
At Risknowlogy, we see teams lose months retrofitting an OS that wasn’t validated early enough. Your OS choice affects determinism, freedom-from-interference, safety evidence, and audit readiness. This article summarizes current options and the implications of each under IEC 61508 and ISO 26262 for industrial, medical, rail, and automotive systems.
The Two Paths: Certified vs. Custom OS
✅ Option 1: Use a Certified RTOS
Pre-certified systems arrive with validated safety manuals, usage restrictions, and toolchain guidance—dramatically reducing your effort to achieve SIL/ASIL.
| OS / Platform | Certifications / Status | Max SIL/ASIL | Typical Domains & Notes |
|---|---|---|---|
| QNX OS for Safety 8.0 | IEC 61508, ISO 26262, IEC 62304 (SEooC) | SIL 3 / ASIL D | Industrial, automotive, medical; mature partitioning and evidence set. |
| VxWorks Cert Edition | IEC 61508, ISO 26262, IEC 62304; evidence for DO-178C use cases | SIL 3 / ASIL D | Industrial, rail, medical; strong ecosystem and support. |
| Green Hills INTEGRITY RTOS | IEC 61508 (SIL3), EN 50128/50657; ISO 26262 support available | SIL 3 | Industrial/rail/auto; separate avionics line is INTEGRITY-178 (DO-178C). |
| INTEGRITY-178 tuMP (avionics) | DO-178C DAL A, CAST-32A multicore | DAL A | Aerospace only; not positioned for IEC 61508/ISO 26262 projects. |
| SEGGER embOS-Safe | IEC 61508 SIL 3, IEC 62304 Class C, ISO 26262 ASIL D | SIL 3 / ASIL D | Lightweight embedded & medical; compact footprint and clear manuals. |
| SafeRTOS | IEC 61508 SIL 3, ISO 26262 ASIL D; available on RISC-V MiV_RV32 | SIL 3 / ASIL D | Compact devices/sensors; certified path on open architectures. |
| Micrium “Flexible Safety RTOS” (µC/OS lineage) | Options for ISO 26262, IEC 61508, IEC 62304, EN 50128 | Up to SIL 3 / ASIL D | Embedded controllers; verify the domain-specific cert bundle. |
| Red Hat In-Vehicle OS (Linux) | ISO 26262 ASIL-B (SEooC) certified; mixed-criticality milestones | ASIL B | SDV platforms & domain controllers; requires careful partitioning. |
| AUTOSAR Classic OS (Vector MICROSAR OS, ETAS RTA-OS) | ISO 26262 ASIL D (product-specific) | ASIL D | Automotive ECUs; domain-specific OS for Classic stack. |
| Zephyr Safety Profile | Safety release targeting IEC 61508 SIL 3; certification in progress | Target SIL 3 | Open-source RTOS with formal safety track—assess maturity vs. schedule. |
Updates worth noting: Red Hat’s in-vehicle OS achieved ASIL-B (SEooC) certification in 2025; SafeRTOS availability on RISC-V (MiV_RV32) broadens certified options for open hardware; embOS-Safe covers both industrial and medical (IEC 62304 Class C).
Option 2: Qualify Your Own OS
Common bases: open source (Linux, Zephyr, RTEMS, FreeRTOS), internal/custom RTOS, or legacy platforms.
- Advantages: lower license cost, full configurability, easier integration of non-safety workloads.
- Challenges: you must build the entire evidence set (architecture, coverage, analyses), accept longer timelines, and qualify the toolchain.
- Note: FreeRTOS itself isn’t safety-certified; SafeRTOS (a commercial derivative) is.
IEC 61508’s Five Non-Negotiables for OS Suitability
| Requirement | What You Must Demonstrate |
|---|---|