Safety-certified Linux? Look closer: why certification alone isn’t enough

Safety-certified Linux? Look closer: why certification alone isn’t enough

Safety-certified Linux?
Look closer:
why certification alone isn’t enough

Reading time
6 minutes

Certification ≠ assurance

Safety certification often feels like a milestone worth celebrating. It tells you the software has met tough industry standards like ISO 26262 and passed important tests. But here’s the truth; certification is not the finish line. It’s just one step on a much longer journey.

Imagine buying a car just because it has a safety sticker on the windshield. Without knowing what tests were done, how thoroughly the vehicle was inspected, or whether the certification covered all critical parts, that sticker means little. The same is true for safety-certified Linux platforms.

What really counts isn’t the certificate hanging on the wall, but the story behind it: how the certification was earned and exactly what parts of the software were put under the microscope. Without knowing those details, that shiny safety stamp can easily lead to a false sense of security.

 

Compliance, not certification, is what counts

There is a common misconception that certification is a product badge guaranteeing safety. In reality, certification is a statement of compliance to a defined safety standard, usually within certain boundaries and scope. It confirms that the product meets specified criteria but does not guarantee safety in every context.

Independence plays a critical role in demonstrating compliance. Certifiers should act as impartial evaluators who have no stake in the product’s development or outcome. When assessors become too involved in co-developing the compliance package, the objectivity of the certification can be compromised. This blurs the line between evaluation and partnership and risks undermining credibility.

A car and two people shaking hands

 

At Elektrobit, we follow a clear model of independent evaluation. Our EB corbos Linux safety extensions undergo assessments by independent certification bodies such as TÜV Nord and TÜV SÜD. Both the processes and safety elements are scrutinized separately to ensure unbiased validation. The strength of any safety claim depends heavily on how independently compliance was demonstrated.

 

Completeness and correctness: it’s not just the kernel

Functional safety requires more than just technical checks on isolated components. Safety standards demand completeness and correctness across the entire software platform.

Completeness means covering all relevant safety elements. Correctness means proving those elements behave as intended under all conditions. In many Linux-based safety-certified platforms, only certain functions—often limited parts of the kernel—are covered. The rest of the platform might be outside the certification scope. This forces customers to justify how they use or remove uncovered parts, placing the burden of safety arguments on them.

Many safety arguments rely on upstream open-source communities that are not governed by strict safety processes. Open-source software alone does not guarantee safe-by-design quality, especially when the safety process is fragmented or community-driven without defined controls.

Without full control over every element and its development process, proving completeness and correctness becomes difficult and less trustworthy. Comprehensive safety requires control and governance from start to finish.

An iceberg with the tip sticking out of the water with the text “Certified Kernel Components” above it and the larger part of the iceberg below it with the text “Uncertified Platform Parts” and a penguin.

 

The process Achilles’ heel of open source

Open-source development favors speed, transparency, and community-driven iteration. These are major strengths, but they don’t naturally align with the disciplined, traceable processes required for functional safety. Instead of forcing open-source projects to meet every process requirement retroactively, safety can be ensured by containing their role within the system.

This is why architectural boundaries matter. By isolating general-purpose components like Linux from safety-critical functions, and enforcing strict interfaces between them, developers can limit risk without rewriting the rules of open-source development. In other words, the system’s architecture does the heavy lifting, so that safety doesn’t depend on perfect process control across every software component.

A car on which a worker is welding something

 

Know what you are buying

Before you commit to any safety-certified platform, it’s worth taking a closer look at what that certification actually covers, and what it doesn’t.

To summarize:

  • Certification is not an objective in itself. It is the result of how compliance was demonstrated, and that process must be transparent and independent.
  • Functional safety requires full coverage and proven correctness. Partial assessments or hopeful assumptions expose you to risk.
  • If a platform passes off safety responsibility to you, it may be certified, but you remain exposed.

Elektrobit’s EB corbos Linux for Safety Applications offers a high-integrity, TÜV-assessed platform with built-in compliance processes and safety enforcement. With us, you do not carry the risk alone. You gain a trusted partner who helps you build safer software-defined vehicles.

For a deeper dive and to read more on this topic, check out this blog: Why functional safety starts with architecture, not auditing.

Ready for a closer look at EB corbos Linux for Safety Applications? Find out more here.

Author

Jens Petersohn
Director Product Management HPC


© 2011-2025. Elektrobit.
All Rights Reserved.
VAT ID No. DE 132503195

company
Trends
Products
 
  • Instagram
  • LinkedIn
  • YouTube