Thought Leadership

Safety Certification of Software Modules – What and Why is it?

By Scot Morrison

Standards apply to products, services, and everything in between. Products, processes, services and even people can be certified. According to the International Organization for Standardization (ISO)’s website, “Standards are the distilled wisdom of people with expertise in their subject matter and who know the needs of the organizations they represent – people such as manufacturers, sellers, buyers, customers, trade associations, users or regulators.”

Of all standards that exist, the ones concerned with safety are of prime importance. For automotive manufacturers, any device or its underlying software must adhere to three important safety certifications, IEC 62394, IEC 61508, and most importantly, ISO 26262.

IEC 62394 applies to consumer electronics. It specifies requirements for service diagnostic software to be implemented in products that incorporate a digital interface.

The Functional Safety standard IEC 61508 for Automotive Electric/Electronic Systems covers numerous activities and processes in the product development lifecycle. ISO 26262 is a Functional Safety standard published by the ISO and is targeted at road vehicle safety. The ISO 26262 standard is derived from IEC 61508. While we’ll focus on software for this article, the same caveats apply to hardware and combined systems (“units”) in the automobile.

A suitable software architecture is indispensable for corresponding software projects according to ISO 26262. This safety architecture shows the independent software elements and their interfaces. Freedom from Interference is one of the core tenets of this safety architecture

Based on the above information, we know that software used in automotive applications must adhere to the aforementioned safety standards. These safety standards concern themselves with a “unit”, or a standalone component of a car such as an anti-lock braking system, or a stability controller, which consists of both software and hardware. However, automotive software suppliers talk about certified software, which is only part of a unit? What does it even mean to have certified software and how is it supposed to be used?

A software component is certified after the software and all appropriate developmental artifacts (designs, implementation, verification, validation, etc.) have been reviewed by a respected third party and shown to have been developed in compliance with the appropriate safety standard(s); Siemens Embedded’s certifier is TÜV SÜD. It will also come with additional documents that you should fully understand:

•            Technical Report, describing the environment(s) under which the certification is valid

•            Report on the Certificate, discussing the scope of testing, and

•            A Safety Manual, describing the conditions under which the certification is valid.

The most important of these is the Safety Manual, which augments the product’s standard documentation and describes the conditions under which the software component must be used when included in a certified Unit. The Safety Manual will describe how the software must be installed and checked, which features (if any) must be used or not used, etc. For example, the Nucleus SafetyCert Safety Manual makes clear that while there are private entry points included in the software, these may not be invoked directly by application software; only those public interfaces documented in the package may be used. Any such caveat in the Safety Manual becomes additional requirements on the application that the user must verify. In many cases, these are not difficult to fulfill but must be understood and verified to ensure there are no issues when attempting to certify a device.

Nucleus® SafetyCert™ is a safety-certified, real-time operating system (RTOS) and middleware package targeting high-performance, next-generation applications. Nucleus SafetyCert meets the growing need for highly reliable software and shortens the path to regulatory certification. The Nucleus SafetyCert offering is a complete solution, with industry-specific documentation and artifacts that have received third-party certification.

ISO 26262, originally established in 2011 and updated in 2018, proposes process and design integrity recommendations covering the full product life cycle for road vehicles. ISO 26262 tailors the recommendations based on several levels of risk classification, known as Automotive Safety Integrity Level (ASIL). There are four levels, ranging from ASIL-A (low-risk reduction needed) to ASIL-D (high-risk reduction needed).

Nucleus® SafetyCert™ is certified for ASIL D ISO 26262 on ARM R5 cores but will run on all modern ARM (R and M), and RISC V cores and can be certified on those if required.

It is also part of Siemens’s Multi-OS mixed safety-criticality solution when combined with their Multicore Framework Cert product.

Nucleus® SafetyCert™ combined with Nucleus™ Multicore Framework Cert can help enable a multi-OS mixed-criticality system on a Multi-Processor SoC. Nucleus® SafetyCert™ RTOS includes a safety-certified process model for memory partitioning. The Nucleus® SafetyCert™ RTOS partitions memory to isolate software subsystems into separate space domains, which serve as protected regions to contain and isolate faults to a subsystem’s respective memory.  The partitions serve to isolate safety-critical code from non-safety subsystems for mixed safety-critical designs.

The Nucleus® SafetyCert™ offering includes a certified version of the Nucleus™ RTOS kernel with runtime libraries, connectivity middleware, networking, and data storage. The certification package includes source code and the following documentation based on industry-specific requirements:

  • Software development
  • Software configuration management
  • Software quality assurance
  • Software requirements
  • Software design standards
  • Software coding standards
  • Software verification
  • Software test plan
  • Complete software test suite
  • Safety manual

The Nucleus SafetyCert documentation and artifacts have clear traceability across the safety lifecycle and are hyperlinked for ease of navigation to streamline audits and reviews. Learn more

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at