RTOS Functional Safety Certification – Table Stakes or not?

By Bill Lamie



April 11, 2024


Image Credit: PX5

In business, “table stakes” represents a minimum requirement to participate in a market. Today, there are over a hundred open-source and commercial RTOS in the embedded market. A vast majority of them don’t have functional safety certification. Given this, it’s evident that RTOS functional safety certification is not “table stakes” today, but maybe it should be!

RTOS is the foundation of embedded devices. All application-specific code relies on RTOS for its execution. An RTOS is analogous to the foundation of a building. If the foundation isn’t strong, the entire building might fail. The same is true for embedded applications. If the RTOS is faulty, the whole application might fail.

At the highest level, RTOS functional safety certification is an objective measure of proper operation and, by extension, quality. For example, RTOS functional safety certification often requires 100% C statement testing coverage and 100% branch/decision testing coverage. It also requires a verified software lifecycle and a safety manual to ensure developers use the RTOS correctly. This represents a level of rigor above and beyond common RTOS solutions. It’s worth saying that this extra rigor really amounts to industry best practices.

Benefits for Certified Devices

If your device requires functional safety certification, a pre-certified RTOS is of great direct value. The RTOS's certification documentation can be used in the device's certification, saving the developer from trying to certify the RTOS code in addition to the application code. Instead, the developer simply supplies the RTOS certification artifacts with the application certification—saving considerable time and money.

Even if your application doesn’t have an explicit functional safety certification requirement today, it might in the future. There is an ever-increasing stream of new legislation concerning product safety and security, e.g., General Product Safety Regulation (GPSR), EU Machinery Regulation, European Medical Device Regulation (EU MDR), European Cyber Resilience Act (CRA), and more.  So, even if you don’t have regulatory requirements today, there will likely be some in the future. Using an RTOS with functional safety certification helps “future-proof” your device for that eventuality.

Benefits for All Devices

The benefits of a functional safety-certified RTOS applies to all device makers. Following industry best practices is an essential first line of defense in product liability. An RTOS without functional safety certification typically does not follow best practices. It is deficient in some elements of the software lifecycle, most notably, insufficient verification. Using such an RTOS provides an easy opening for product liability.

As mentioned, an RTOS with functional safety certification has extensive testing which helps reduce development time. A better-quality RTOS also helps improve overall device quality and reduces the risk of recall when the device is in production. Avoiding the costs associated with a recall easily offsets the cost of a functional safety-certified RTOS.

Security in embedded systems overlaps with functional safety. For example, if an issue in the RTOS causes memory corruption, a hacker can exploit this for a denial of service, improper information access, or even remote execution. An RTOS with functional safety certification is less likely to have such a vulnerability.

Most Common Safety Standards

The most common RTOS functional safety standard is IEC 61508, an international standard published by the International Electrotechnical Commission (IEC). The standard typically applies to functional safety for electrical, electronic, and programmable products. It applies to a wide range of devices. This standard has four Safety Integrity Levels (SIL), ranging from SIL 1 to SIL 4. The higher the SIL level, the higher the safety classification. For example, software meeting only SIL 1 requirements should not be used in a safety-critical device requiring SIL 4. Related functional safety certifications exist for specific industries, e.g., ISO 26262 for automotive, IEC 62304 for medical, and EN 50128 for the rail industry. All of these have similar requirements and levels of safety classification.

Table Stakes Or Not?

Since RTOS functional safety benefits all devices and ultimately represents industry best practices, it should be “table stakes” in the embedded market. Device makers that leverage an RTOS with functional safety certification improve time-to-market, reduce product liability, and improve product quality. They can concentrate on growing their business rather than doing damage control associated with faulty devices. If all devices were built with an RTOS having functional safety certification, the world would be a much safer and more reliable place!

Bill has been in the commercial RTOS space for over 30 years - first with Accelerated Technology (acquired by Siemens) and then with Express Logic (acquired by Microsoft). Bill was the sole author of Nucleus and ThreadX. Bill’s latest endeavor is PX5, where you can find his latest creation – the PX5 RTOS!

More from Bill