Over the past couple of years, there have been numerous articles posted on the Intel® Embedded Community web site that focused on security topics. Today let’s discuss a similar but separate topic – safety. Embedded systems used in applications in the transportation industry, industrial process control, power generation, and similar instances must meet relevant safety standards, primarily IEC 61508. That standard seeks to ensure the safety of people, ranging from workers involved directly with a system managing a process or some other application and citizens in general. Embedded design teams working on applications with safety requirements can utilize operating systems certified to IEC 61508 combined with redundant Intel® Architecture (IA) processors to quickly deliver systems that meet the most stringent safety requirements.


First let’s briefly consider the similarities and differences of safety and security requirements. Both require a compartmentalized approach to protect systems both from inadvertent faults and malicious activity. In security systems, the primary goal is to ensure the reliability of data – financial data or data that might control a military mission. In safety systems, the primary goal is ensuring that a system operates in a fail-safe manner.


Some of the same techniques are useful in both safety and security applications. Redundant hardware is often used. And software techniques such as Intel® Virtualization Technology (VT) are used to partition and protect the mission-critical elements of the code.


Security requirements are prescribed by the Common Criteria for Information Technology Security Evaluation (called Common Criteria or CC) defined in the ISO/IEC 15408. The CC provides a framework of security levels called the Evaluation Assurance Level (EAL) – EAL 1 through EAL 7, with EAL 7 being the most secure system. For more background, review the article I posted last year about separation kernels and EAL compliance.


Safety requirements are prescribed by the IEC 61508 standard that is entitled “Functional safety of electrical/electronic/programmable electronic safety-related systems.” Safety levels are graded based on a SIL (Safety Integrity Level) scale that suns from SIL1 to SIL4. SIL3 is considered the highest-level that can be achieved using a programmed microprocessor-based system.


The safety standard prescribes the need for functional safety that relies on an active system. For example, consider a process-control application that involves a dangerous chemical. A containment vessel that might limit the damage should an overflow occur is considered a passive system. Sensors and check valves that prevent an overflow would be considered an active system.


Hardware and software safety elements


There are both hardware and software elements involved in designing for safety compliance. Primarily we’re going to discuss software – operating systems specifically – in this article. But there is an excellent hardware-centric whitepaper that has been posted on the Intel Embedded Community site by Men Mikro Elektronik GmbH*. The paper is entitled “Implementing safety-critical embedded systems designs” and it covers more details on the SIL levels and focuses on strategies for deploying redundant modular systems and meeting safety requirements.


On the software side, several embedded-operating-system vendors have products that have been certified to SIL3. And some vendors offer both safety and security certifications in the same product.


Consider QNX Software Systems** and the QNX Neutrino Realtime Operating System (RTOS) Certified Plus product. The RTOS has been certified to SIL3 and EAL 4+. The safety certification was performed by conformity-assessment specialist Sira Test & Certification who is accredited by the United Kingdom Accreditation Service. The key to compliance is a modular microkernel architecture utilized in the RTOS. Applications, device drivers, file systems, and network stacks all run in separate memory-protected partitions.


QNX has also published a series of two whitepapers entitled “Building functional safety into complex software systems. Part 1 of the series coves the basics of safety theory and provides some illustrative real-world examples to explain the concepts. Part 2 digs deeper into actual implementation scenarios. The illustration below is from Part 2 and illustrates Reason’s Model explaining how faults become failures.




Green Hills Software*** also offers an SIL-3-certified RTOS. The Intergity/velOSity product was certified by TuV Nord certification body. The company actually offers what it calls the Green Hills Platform for Industrial Safety that it targets specifically at systems developed for the automotive, rail-transportation, nuclear-power, and similar industries. The platform combines the RTOS, middleware, a development and verification tool set, and services including system certification support. The diagram below summarizes the coverage of the platform.




Green Hills also has an excellent web page that covers the safety topic. The Integrity architecture partitions code that run at different safety levels and allows a single microprocessor to safely run critical and noncritical partitions. velOSity is the kernel that underlies the Integrity platform.


Middleware includes network support, graphics and video support, a file system. Moreover embedded databases allows for the safe storage and retrieval of complex data using a structured architecture.


Green Hills also has partners that contribute to the safety platform. For example, design teams can use Telelogic’s Rhapsody modeling and code-generation tools, Esterel Technologies’ modeling and code-generation tools, and Vector Software’s test and code-coverage tools in safety-critical designs.


Has your design team tackled a project requiring SIL certification? How did you approach the problem? Did you rely on a commercial software platform? Please share you experiences with fellow followers of the Intel® Embedded Community via comments. Readers would welcome your insight into the safety issue.


Maury Wright

Roving Reporter (Intel Contractor)

Intel® Embedded Alliance


* Men Mikro Elektronik GmbH is an Affiliate member of the Intel® Embedded Alliance

** QNX Software Systems is an Affiliate member of the Alliance

***Green Hills Software is an Affiliate member of the Alliance


More information




To view other community content focused on security, see “Security – Top Picks.”