Professional Articles

Integrated RTOS and Hypervisor Ecosystem for MPU and MMU-based Processors

Hybrid system-on-chips increasingly integrate heterogeneous processors. However, developers see them as one component that they want to develop as integrated as possible. A homogeneous RTOS and hypervisor ecosystem for both MPU- and MMU-supported processors provides the critical convenience gain.

With ever smaller manufacturing processes, increasingly more intelligence and thus higher added value can be implemented in a given space. Semiconductor manufacturers are using the freed-up space to integrate process-ornative interface logic and heterogeneous processor cores in order to provide holistic system solutions on a chip (SoC). The goal is to obtain more responsive electronic devices of smaller design and with lower energy consumption, in which vision systems and artificial intelligence are increasingly being implemented. In addition to applications in the field of consumer electronics, this applies primarily to controls based on situational awareness with functional safety that are likely to use heterogeneous SoCs. This is then generally accompanied by component consolidation to reduce costs.

Real-Time SoC for functional Safety

Markets for heterogeneous SoC applications with functional safety can be found, for example, in industrial automation, collaborative robotics and MRD-certified (Medical Device Regulation) medical technology, as well as in numerous new mobility applications. The focus ranges from autonomous intralogistics vehicles and smart construction and agricultural machinery to electromobility, rail transport and avionics. All these markets are growth drivers for such heterogeneous SoC solutions. A new application field closely related to these applications is also functionally safe tactile 5G applications and thus ultimately also real-time capable edge servers at campus network and carrier level, which communicate with their autonomous real-time clients via TSN over 5G and even network slicing if necessary.

The need for heterogeneous SoCs can be illustrated particularly clearly by the automotive industry: Here, it has been common practice to integrate a large number of discrete ECUs per vehicle. In the meantime, there are over 100 ECUs distributed throughout the vehicle in a normal car. In the luxury class, sometimes even more than 300 ECUs are installed. The set of microcontrollers ranges from 8-bit to 32-bit processors. In the course of the development of electromobility and increasingly autonomous driving, however, the distributed controller designs are being completely rethought and significantly more highly integrated systems based on heterogeneous SoCs are being implemented. They should even enable peaceful coexistence of applications with and without as well as graded functional safety - i.e., mixed-critical systems.

SIL, ASIL and DAL certifiable

One SoC family that is certifiable for such applications at various SIL, ASIL and DAL levels, among others, are the Xilinx Zynq Ultrascale+ MPSoCs. They integrate 6 arm cores, numerous standard interfaces, and FPGA logic for application-specific design of the SoC. This makes them extremely multifunctional and predestines them even for retrofit solutions in legacy applications. Four 64-bit Arm Cortex-A53 cores with full ECC support and a lockstep-capable and thus functionally safe 32-bit Arm Cortex-R5F dual core are available. The FPGA offers between 81,000 and 504,000 system logic cells depending on the design. A Mali 400-MP2 GPU is also optionally integrated, which can be used for graphics or for AI inference logic. Additionally, optional H.264 and H.265 codec support is given. The resulting application areas are diverse and include safe headless systems such as motion controllers, graphics and/or AI-based systems, and camera-integrated systems that need to process video codecs for situational awareness and augmented reality extremely fast and, in the case of autonomously moving systems, also in deterministic real time.

The Xilinx Ultrascale+ MPSoCs integrate four MMU and two MPU-based Arm Cortex cores as well as powerful FPGA logic, for which numerous application-ready devices are also available.

Collaborative Robots and autonomous Driving

In a collaborative robot or autonomous intralogistics vehicle, for example, this SoC can connect a camera to the integrated FPGA to process the image data. The data processed in this way can then be analyzed via the real-time capable image analytics installed on the Cortex-R5F arm with optional integrated inference logic to detect obstacles, for example. Depending on the integrated decision logic, results can be sent to the more powerful ARM Cortex-A53 Application Core via the Intercore communication channel as a result. The higher-level real-time control logic for autonomously controlled locomotion then takes place there. If there is a risk of collision, the direction of travel is changed in accordance with the now best possible route to the destination. To correct a single point of failure (SPOF) in the evaluation of the image data, the two cores of the Arm Cortex-R5F could even operate in lockstep mode. Of course, the Arm Cortex-R5F can also be used for control tasks in combination with the FPGA. For example, servo motors can be addressed directly. Individual tasks of an application can also be distributed to these different resources to achieve maximum performance with minimum resource usage. Another interesting use is to run a controller on both the R5 core and the A53 core to create diversitary core redundancy within a single SoC.

Complexity Challenge

However, one of the biggest challenges of these SoC designs is the high cost of developing and maintaining such heterogeneous solutions. Therefore, an application development of the SoCs that is as integrated as possible is required, as this is the only way to achieve synergy effects which reduce NRE costs and make the development of optimally performance-balanced real-time systems more efficient. For example, it can be a major challenge to operate the individual subsystems inference-free on such an SoC. This also applies to cache inferences in multi-core implementations. It should also be possible, for example - and this is particularly important for application developers - to assign tasks of an application to one core and sometimes to the other core as required without having to invest a great deal of development effort.

The PikeOS variants for MMU- and MPU-based processors can be operated in parallel on the Xilinx Ultrascale+ SoC and communicate seamlessly with each other via intercore communication.

MMU- and MPU-supported Processors

This is not trivial with complex SoCs such as the Xilinx Zynq Ultrascale+ MPSoC, because with the Arm Cortex-A53 cores the working memory management is based on a Memory Management Unit (MMU), while with the Arm Cortex-R5F dual core it is based on a Memory Protection Unit (MPU). The difference between these different memory management systems is that an MMU can be used to convert virtual address areas into any physical address areas. The MMU therefore assigns a concrete address area to a process. A controller with MPU does not have this assignment function. The MPU still provides the protection that one process cannot write to the other in the same memory area. However, without an MMU, each process must know exactly where to link. This is conceptually more complex as each process must be allocated a dedicated memory area. So the RTOS system software must provide the memory allocation API.

Two Worlds

In the previous RTOS and real-time hypervisor landscape, there have been no truly homogeneous solutions for managing such heterogeneous SoC with MMU- and MPU-based controllers. Most OS vendors have developed smaller RTOSs for the controllers with MPU, which have completely different APIs than the RTOS for controllers with MMU. This has also not played a major role so far, since these controllers have mostly been implemented discretely. As a result, RTOS for the MPU-based controllers were also trimmed to a slim footprint and minimal memory usage, which is one reason for these incompatibilities. The importance of this is also shown by the fact that these discrete controllers with MPU were often even programmed "bare metal" when multithreading was not required in order to realize ever smaller footprints with the associated benefits such as saving on licenses, lower hardware costs and easier certifiability. However, with homogeneous OS ecosystems for the development of MMU- and MPU-based SoCs and holistically integrated development environments, programming heterogeneous SoCs can be made much more convenient.

Overcoming heterogeneous OS Installations

With the launch of the PikeOS operating system and hypervisor for MPU in September 2021, the embedded software specialist SYSGO, whose focus is on functionally safe and IT-secure solutions, has now for the first time created such a basis, with which heterogeneous SoCs receive a homogeneous RTOS and real-time hypervisor ecosystem, significantly simplifying programming and payload balancing. PikeOS for MPU was developed for this purpose on the code side based on the PikeOS operating system for MMU-based processors. The APIs for programming applications for processors with MMU or MPU are therefore virtually identical. Essentially, only the memory management API was adapted accordingly. However, the change of an application from an MMU-based to an MPU-based core complex can be handled with a few clicks within a few minutes despite the different memory handling. Even more important is the advantage that code for both core variants (MMU and MPU) can be certified in a similar way.  Upcoming certifications of PikeOS for MPU based solutions can therefore build on the SIL 4, DAL A and ASIL D certifications of PikeOS for MMU.

Homogeneous OS Ecosystem for MMU and MPU

As both PikeOS and PikeOS for MPU are sharing  important core functions, such as the separation kernel or the time and space partitioning mechanisms, functionally could be kept identical. By strictly separating partitions, the separation kernel enables parallel operation of multiple applications - from simple but highly critical control tasks to complex user programs with many functions. In addition, the separation kernel eliminates the risk of application errors affecting other partitions and applications. The use of the same time and space partitioning mechanisms also brings PikeOS for MPU very close to the ARINC 653 specification for which PikeOS for MMUs was originally developed. This makes PikeOS for MPU suitable even for critical space and avionics applications.

A particularly interesting feature for the efficient development of holistic solutions based on heterogeneous system platforms is the ICCOM (Inter-Core Communication) functionality of both PikeOS derivates: This functionality allows PikeOS instances running on different ARM Cortex A and R cores to communicate with each other via message-based communication channels, regardless of whether the cores run different or same OSes. ICCOM is based on a symmetrical full-duplex data transport layer which guarantees the delivery of messages.

One IDE for all Cores

Starting with version 7.2 of the Eclipse-based CODEO IDE, both operating systems can be used in one integrated development environment (IDE). It can manage the entire software stack of heterogeneous SoCs and its inter-core communication within a single workspace, significantly simplifying the software development process for such complex target systems. The entire development cycle is supported from early QEMU-based system emulation and application simulation to remote debugging and software update mechanisms for deployed systems in the field.

Lauterbach's TRACE32 debug environment also supports combined debugging of MMU- and MPU-based targets. This also means that a TRACE32 hardware setup is sufficient to debug the entire Xilinx Zynq Ultrascale+ MPSoC platform with heterogeneous OS setup. However, one should no longer speak of a heterogeneous OS setup when using both PikeOS operating systems in tandem. It is rather a homogeneous ecosystem for heterogeneous SoCs, which also has a real-time Type-1 hypervisor integrated in both variants, so that multiple time- and memory-isolated, functionally safe applications of this or other OSes can be hosted in appropriately encapsulated virtual machines.

By starting an individual GUI for such OS partitions, software architects can also debug both PikeOS variants simultaneously - including synchronized start-and-stop events. This is especially useful when searching for errors in the communication between the individual subsystems. In addition, TRACE32 can trace the entire system and display graphical diagrams of application and function runtimes. Timing is synchronized, allowing the observation of the timing behavior of both PikeOS and PikeOS for MPU and the measurement of latencies between the two systems, thus facilitating performance balancing.

SYSGO offers ready-to-use images for the Xilinx Ultrascale+ Board ZU9EG. It is ideal for the evaluation of diverse interfaces and also flexibly expandable.

Processor Roadmap

Application development for heterogeneous SoC consequently becomes much more homogeneous with the new PikeOS RTOS and hypervisor ecosystem with solutions for MMU and MPU-based controllers on one chip. Solutions are not limited to the Xilinx Zynq Ultrascale+ MPSoC. Rather, support is given for Arm Cortex A53 and R5 cores and is thus portable. In the medium term, it is also planned to support all other variants of the Arm Cortex A, R and M cores and to extend support to Risc-V, MPC 57xx and TriCore AURIX processors - ultimately all MPU-based discrete processors and heterogeneous MMU/MPU SoCs. OEMs can also get support for their proprietary processor and SoC designs.

Focus on functional Safety

Certification kits for PikeOS for MMU are available for avionics (DO-178C), automotive (ISO 26262), rail (EN 50128 / EN 50657), industrial automation (IEC 61508) and medical (ICE 62304), for example. In addition, Application areas can be found up to the high Evaluation Assurance Level (EAL) 3+ or up to level SAL 4 according to the Avionics Airbus Security Certification Standard SAR, which is becoming more and more important in the context of increasing threats from cyber attacks. In addition, PikeOS is the only Separation Kernel (4.2.4) worldwide holding a current and valid Common Criteria certificate (EAL3+). The PikeOS ecosystem is thus also a perfect foundation, i.e., for all OPC/UA protocols synchronized via TSN that orchestrate autonomous vehicles and collaborative robotics connected to cloud-native edge servers via 5G. Beneficial for cellular-connected systems in this context is also the option to use SYSGO's Secure Automotive Connectivity Platform (SACoP) for car-to-car and car-to-X communication. It shields critical internal vehicle infrastructure from the outside world using firewalls and intrusion detection mechanisms. Thanks to implemented secure boot functionality, it also protects against OS compromises and the installation of manipulated boot loaders. It also supports secure over-the-air (OTA) updates as well as many other software management tasks such as upgrades for feature-based subscription economy licensing. As new customer projects emerge, all of this can also be ported to PikeOS for MPU.

Functionally proven in a challenging Environment

Existing installations also offer a high level of design security. For example, the RTOS PikeOS for MPU is already being used in space applications. The architecture used here is based on a proprietary discrete ARM Cortex-R52-based chip that is radiation-hardened to mitigate radiation-induced single event upsets (SEUs). Protection from SEUs is also quite interesting for autonomous driving and collaborative robotics on Earth. To be sure, SEUs appear much less frequently here. But there will be many more such systems in the future, which is why SEU-hardened processors are gaining in importance.

More information at www.sysgo.com/pikeos-mpu