Embedded Linux in Safety-Critical Systems: The IEC 62443 + IEC 61508 Interface

Using Linux in safety-critical industrial control systems requires navigating the intersection of IEC 62443 (industrial cybersecurity) and IEC 61508 (functional safety). This technical guide addresses RTOS vs. Linux architectural decisions, partitioning strategies, and the certification path.

Embedded Linux in Safety Systems: What the Standards Demand

Embedded Linux is increasingly found in safety-critical industrial applications. The certification path is not straightforward, but it's tractable.

The core problem: Linux was not designed for determinism or safety certification. Using it in IEC 61508 SIL 2+ applications requires extensive architectural mitigations.

Partitioning as the primary mitigation: The dominant approach is to isolate safety-critical functions on a safety-certified RTOS (e.g., INTEGRITY, LynxOS, QNX) and run Linux on a separate partition for non-safety functions. Hypervisors with certified separation kernels (e.g., SYSGO PikeOS) enable this on a single SoC.

PREEMPT_RT Linux: For SIL 1 and some SIL 2 applications, PREEMPT_RT Linux with a documented safety manual is gaining acceptance with some certification bodies. The Linux Foundation Safety Critical SIG is working on formal qualification data.

IEC 62443 interaction: Security patches for Linux introduce configuration change that must be managed within the functional safety change management process. This creates tension between rapid security patching (security best practice) and controlled configuration management (safety requirement).