In business, “must” represents the minimum requirements for market participation. Today, there are over a hundred open-source and commercial RTOS in the embedded market, most of which lack functional safety certification. Given this, it is clear that RTOS functional safety certification is not yet a “must” today, but perhaps it should be.

RTOS is the foundation of embedded devices, and all application code relies on RTOS for execution. RTOS is like the foundation of a building; if the foundation is not solid, the entire building may collapse. The same goes for embedded applications; if the RTOS fails, the entire application may fail.

At the highest level, RTOS functional safety certification is an objective measure of correct operation and a measure of product quality. For example, RTOS functional safety certification typically requires 100% C statement test coverage and 100% branch/decision test coverage. It also requires a validated software lifecycle and safety manual to ensure developers use RTOS correctly. This represents a rigor that goes beyond common RTOS products. It is worth mentioning that this additional rigor is indeed equivalent to industry best practices.

If your device requires functional safety certification, then a pre-certified RTOS has significant direct value. The RTOS certification documentation can be used for the device certification, and developers do not need to attempt to certify RTOS code as well as application code. Developers only need to provide RTOS certification evidence when certifying the application, which can save a lot of time and money.

Even if your application currently has no explicit functional safety certification requirements, it may need them in the future. New legislation regarding product functional safety and information security is constantly emerging, such as the General Product Safety Regulation (GPSR), EU Machinery Regulation, European Medical Device Regulation (EU MDR), and European Cyber Resilience Act (CRA). Therefore, even if you have no regulatory requirements today, there may be some in the future. Using an RTOS with functional safety certification helps make your device “future-proof” against this possibility.

The advantages of RTOS with functional safety certification can benefit all device manufacturers, and following industry best practices is the first line of defense for product responsibility. RTOS without functional safety certification often does not follow best practices and has deficiencies in certain aspects of the software lifecycle, most notably insufficient verification, which opens a door for potential product failures.

As mentioned earlier, RTOS with functional safety certification has undergone extensive testing, which helps shorten development time. Higher quality RTOS also helps improve the overall quality of devices and reduce the risk of recalls during the production process. Avoiding costs associated with recalls can easily offset the costs of RTOS with functional safety certification.

Information security in embedded systems has a considerable overlap with functional safety. For example, if a problem in the RTOS causes memory corruption, hackers can exploit this vulnerability for denial of service, incorrect information access, or even remote control. RTOS with functional safety certification is less likely to have such vulnerabilities.

The most common RTOS functional safety standard is IEC 61508, which is an international standard published by the International Electrotechnical Commission (IEC). This standard typically applies to functional safety for electrical, electronic, and programmable products. It applies to a wide range of devices. The standard has four Safety Integrity Levels (SIL), ranging from SIL 1 to SIL 4. The higher the SIL level, the higher the safety level.

For example, software that only meets SIL 1 requirements cannot be applied to safety-critical devices that require SIL 4. Specific industries have corresponding functional safety certifications, such as ISO 26262 for automotive, IEC 62304 for medical, and EN 50128 for the railway industry. All of these have similar requirements and safety classification levels.

Since RTOS functional safety will benefit all devices and ultimately represents industry best practices, it should become a “must” in the embedded market. Device manufacturers utilizing devices with functional safety certified RTOS can shorten time to market, reduce liabilities due to product failures, and improve product quality. Device manufacturers can focus on growing their business rather than damage control related to faulty devices. If all devices use RTOS with functional safety certification, the world will become a safer and more reliable place!

[Author’s Note] The author of this article, Bill Lamie, is the former CTO of Express Logic and the architect of the Nucleus and Thread (Azure RTOS) real-time operating systems. He created the PX5 RTOS, the first to provide native POSIX pthread API and certified by SGS-TÜV Saar for compliance with IEC 61508, IEC 62304, ISO 26262, and EN 50128 functional safety standards.

END