Safety-certified software advances on multicore SoCs

7Rather than the discrete, single-function platforms of the past, today's industrial systems are built around multicore processors that are increasingly packing performance into compute equipment. Now, software developers are taking advantage of these multicore architectures with RTOS and hypervisor solutions that enable multifunction, safety-certifiable industrial systems that still retain their deterministic nature.

systems aren’t what they used to be. Trends in mobile technology and touchscreen GUIs inspired by the consumer market have steadily broken down traditional notions of the industrial embedded system, with new designs continually looking to exploit features and functionality rooted in the bring your own device (BYOD) and (IIoT) movements.

However, while following suit with macro trends in the electronics industry allows for differentiation in an otherwise sluggish industrial market, integrating new technologies into resource-constrained machines that have historically relied on closed control loops also invites a range of challenges for developers, principally in the areas of performance, security, and software footprint. But now, given consistent advances in processor technology over the last decade, embedded software vendors are rolling out safety-certifiable solutions that promote platform differentiation and meet the requirements of demanding industrial settings.

“Six or seven years ago it was all PowerPC, but what’s happened is that we’ve gone into a multicore world and you’ve started seeing work it’s way into this market,” says Warren Kurisu, Director of Product Management, Runtime Solutions at ( “We went from homogenous multicore to heterogeneous multicore, and now you’re starting to see soft-core work into the multicore architectures.

“With the convergence of heterogeneous architectures, customers are asking how they can leverage heterogeneous systems architectures (HSAs) to enable differentiation and downstream CAPEX and OPEX,” Kurisu continues. “So, ‘How do we leverage multicore to get the power savings, reduced BOM costs, and all of that?’ With this comes a complex problem – how do I manage them across different cores, manage them across different channels, etc.? Our solution allows you to bring multiple different operating environments on a single architecture”

Kurisu refers to the company’s Mentor Embedded multi-platform solution, a software stack for the industrial automation market based on an IEC 61508-certifiable version of the Nucleus RTOS that includes multicore support, Mentor Embedded with integrated industrial protocols, the Sourcery CodeBench and Analyzer, and Qt graphics, among other features (Figure 1). Yet, the key to this and other emerging products is advanced technology, which facilitates the separation of critical functions and allows manufacturers to realize the benefits of consolidation on the factory floor.

Figure 1: The IEC 61508 SIL3-certifiable Mentor Embedded multi-platform solution provides support for both heterogeneous and homogeneous multicore SoCs, as well as integrated runtime tools that enable legacy code reuse.

The safety-certified hypervisor

As mentioned, hypervisors in today’s industrial automation devices are often used to separate an OS running safety- and mission-critical applications (such as motor control) on one processor core from an OS running another application (such as the user interface) on a different core (Figure 2). Thanks to the advent of multicore and hypervisor technology, these virtual machines (VMs) can operate nearly independently of each other as if they were the only OS or application running on a chip.

Figure 2: Hypervisors work to partition operating environments, memory, and devices within multicore-based industrial systems.

Recently, however, traditional hypervisor models have begun to reveal performance and certification limitations for the developer of safety-critical systems. The reason for this is that typically when consolidating a system onto a single SoC platform, hypervisors share system resources wherein a memory scan is bitmapped from one OS to the other. While the performance bottleneck and complexity of this architecture is acceptable for certain applications, for others it is not, and this model also requires that custom drivers be developed for certain types of resource sharing (such as I/O devices, network connections, and file systems); each time a custom driver is developed for a particular system, or an OS or application is modified, these systems must be retested and recertified.

To mitigate these development challenges for engineers, QNX Software Systems has released the Hypervisor 1.0, a IEC 61508-compliant hypervisor that looks to eliminate the performance losses and certification headaches associated with custom drivers by circumventing them altogether. According to Chris Ault, Senior Product Manager at QNX (, rather than utilizing low-level drivers, the type 1 hypervisor facilitates higher level commands between VMs so that certain system components can be shared between OSs while keeping them securely partitioned.

“The job of the hypervisor is to run the image right after board startup, and there’s a flat text file that describes what machines need to be created, what memory ranges need to be applied to each VM, and so on,” says Ault. “Then each VM reads its own subconfiguration VM file and says what resources it needs.

“On the surface this looks like what competitors are doing with a client/server relationship, but instead of using a shared device driver, we’re marshalling the high-level commands from one VM to another so that the performance, simplicity of the device driver, and simplicity of the architecture are improved,” he continues (Figure 3). “Yes, the GPU and device driver need to be owned by the safety-critical OS, but we have tools in place so that the non-safety OS cannot impact the OS resources.

Figure 3: They QNX Hypervisor 1.0 allows common resources and components to be shared across VMs while remaining securely partitioned and certified.

“This is embedded versus IT virtualization because the real-time nature of access to the hardware is so important,” Ault says. “So rather than a broad suite of emulators or device drivers without traction in the field, we’re binding hardware to the VM and also leveraging assets that are already present in the OS to reduce testing when using these types of devices.”

In addition, the QNX Hypervisor 1.0 includes support for QNX Neutrino and Linux- and -based OSs, and pairs especially well with those that support a built-in scheduler for adaptive partitioning, Ault says. Through adaptive partitions systems architects are able to specify the amount of resources that are made available for particular tasks, providing a mechanism by which safety-critical designers can manage platform resources without having to develop custom resource management schemes (Figure 4).

Figure 4: Adaptive partitioning allows the OS to allocate system resources by function, ensuring that critical application consistently receive the processor bandwidth necessary to carry out specific tasks.

Multiple levels of criticality

As use of the aforementioned technologies has enabled the development of higher end, more feature-rich industrial embedded systems, another software paradigm that has persisted for decades – the OS – is now being paired with multicore and virtualization to meet the needs of the broader industrial market. For devices in most automation and control environments where software footprint and resource constraints are top of mind, microkernel OSs are now being paired with fuller RTOS solutions to provide scalability across the full spectrum of industrial devices, from small sensor systems to full-blown, feature-rich designs.

For instance, recently announced a microkernel profile for its VxWorks OS that eases certification efforts because of its small code base, and is an efficient option for both single-core systems or platforms built on a big core/little core processor paradigm, says Prashant Dubal, Director of Product Management at Wind River (

“Where in the past you might use MCUs, today it has become plausible to apply multicore SoCs even in lower end devices,” Dubal says. “We are seeing a trend in the industrial market where they are moving from 16-bit MCUs to 32-bit MCUs, and also some processes that have an memory management unit (MMU). Part of the reason this is happening is consolidation and the price point of processors with an MMU, so things are evolving and people are trying to take advantage.”

“Either you could run VxWorks in a multicore or unicore (SMP) situation, but then there’s also a small processor core where you can run a microkernel core,” he continues (Figure 5). “The two then work together, with the micokernel core running power management. It can go all the way down to 2 KB to do something very specific on a sensor, but normally it’s around 10 KB to 20 KB.

Figure 5: The Wind River Microkernel Profile for VxWorks is an extremely small footprint (10 KB – 20 KB) OS for resource constrained systems.

“The other combination is that you could run two instances of VxWorks and do multiple criticialities,” Dubal says. “If you need certification, there’s a safety profile on top that enables quick certification to IEC 61508 for the microkernel, then the three play together to form a solution within the VxWorks family. To complete the spectrum, if you go to a very high-end CPU, now you can take advantage of virtualization on VxWorks and run multiple OSs or instances of OSs on top of it. So you scale from a microkernel alone to a microkernel and VxWorks, then multiple instances of VxWorks (Figure 6). The beauty of all of these profiles is that they all work with each other, so you can mix and match depending on what kind of solution you’re working on.”

Figure 6: The Wind River Microkernel Profile for VxWorks provides the foundation of a safety-certifiable suite of scalable OS solutions for developers of industrial systems.

Utilizing virtualization with VxWorks as previously mentioned also allows engineers to take advantage of time and space partitioning to reach IEC 61508 certification so that certified and uncertified applications can execute securely on the same system; one OS instance could be running uncertified Linux applications while another is certified up to safety integrity level (SIL) 3 to give developers maximum design flexibility.

Safety-certifyied software for advancing in the IIoT

As features and connectivity are continually added to keep pace with the advances of the IIoT, the embedded industry must continue to innovate software that will serve as the basis of secure and efficient industrial devices. By taking advantage of the possibilities now afforded by , embedded software vendors are already laying that foundation for safety-critical systems.