SAFERTOS was initially certified in 2007 by TÜV SÜD to IEC 61508-3 SIL 3, the highest level possible for a software only component.
Today SAFERTOS has grown to be a leading safety critical RTOS solution supporting a wide range of international safety design standards, including:
IEC 61508 and ISO 26262 functional safety standards allow the certification of software only components, such as an RTOS. Here the RTOS is certified as a Safety Element out of Context (SEooC), as the final application in which the RTOS will be used is unknown.
Other standards take into account the specific product risks, and hence certification can only occur at a product level. Individual software components designed for use in systems where certification is only possible at a system level are normally referred to as “certifiable to”.
Both IEC 61508 (industrial) and ISO 26262 (automotive) support the certification of software only components; whereas IEC 62304 (medical) and DO178 (aerospace) only support the certification of the final product.
SAFERTOS is pre-certified, meaning previous versions of SAFERTOS and its Design Assurance Pack (DAP) have been independently certified. Each certification is specific to a processor/compiler combination, down to a specific version of the compiler and a specific compiler configuration. As part of the WHIS continuous certification program WHIS releases a number of SAFERTOS variants to TÜV SÜD for independent certification at least once per year, typically upon a major version number upgrade, or for a new processor architecture or in response to a customer request.
SAFERTOS consists of two layers, a core SAFERTOS layer which forms around 80% of the code base, and is common across SAFERTOS variants of the same major version number, and a portable layer which encapsulates the processor/compiler specific code.
When preparing a new SAFERTOS variant, the portable layer DAP for the specific processor/compiler combination is created along with the portable layer code base. The portable layer is integrated with the core SAFERTOS layer and supporting DAP, all verification and validation tests are executed and the DAP for the full SAFERTOS variant created and issued. All work is performed using a mature, safety critical design life cycle, with independence between designer and tester, and oversight from an independent reviewer.
Additional independent TÜV SÜD certification for SAFERTOS upon a specific processor/compiler combination can be separately purchased. Here, once the SAFERTOS development and verification processes has been completed, WHIS will submit SAFERTOS and the DAP to TÜV SÜD for independent certification.