As medical devices increase in functionality, they need more robust and complex embedded software. Handling that complexity usually requires the software to utilize an operating system (OS). Choosing a commercial OS, however, typically involves making compromises among attributes such as development cost, user interface, and realtime operation. An OS that offers separate software partitions to run different applications in both eliminates compromise and simplifies development.

Fig. 1 – A partitioned OS separates application software into software partitions that operate independently, preventing code on one partition from affecting the behavior of another.

There are many benefits to using a commercial operating system in a medical design. Interfaces such as networking or USB typically require a software stack that relies on an OS to ensure that the data sent to the device is not lost when the device is busy with other tasks. A complex device might need a graphical user interface, which comes with many OSes, to help simplify its use. Many medical devices require rapid response to events and timely execution of key tasks, calling for the reliability of a real-time operating system (RTOS) to ensure that patient-critical operation is not compromised by other device activities such as communication with the outside world.

Medical devices may also need the safety available from an OS that prevents misbehavior in one section of code from compromising operation of other sections.

In addition to providing a robust framework for controlling device operation, an OS can reduce development costs by providing built-in functions such as communications software stacks and user interfaces. Further, OSes simplify both initial software development and later software reuse by abstracting the underlying hardware to provide a uniform application programming interface (API) for designers to work with. Both attributes help free developers to spend their time on creating the unique functionality of their design.

For many developers, however, using a commercial OS can be considered too close to a lock-in with a specific OS vendor. As a result, many medical device manufacturers turn to an open-source OS, such as Linux, because it offers a good compromise of functionality, cost, and vendor neutrality. Also, Linux has a good track record in medical devices.

However, Linux is not the answer to all medical device software requirements. It is large in footprint, often requires extra memory and cost for the embedded device, and does not always have the real-time determinism needed for medical devices that have time-critical tasks like data capture. Also, while Linux is very reliable when compared with other desktop OSes, it doesn’t have the safety-critical pedigree that can be found in RTOSes that have been used in applications in the avionics, automotive, or industrial control industries.

Safety-Critical Systems

Fig. 2 – The LynxOS-SE OS is used by Elekta as a safe and secure platform for their software development for medical devices.

In safety-critical systems, the operating system must do more than just run multiple tasks — it must run multiple tasks and applications safely. Any fault in a single application cannot bring down the whole system, or there is a potential compromise to the whole system. For example, if something untoward happens in the GUI part of the system (often one of the largest pieces of code), then it cannot affect the realtime or safety-critical part of the same system. Traditionally, this was dealt with by having separate physical systems, but now as more functionality is built into a single system, this separation needs to be achieved in software. Enter the partitioned operating system.

A partitioned operating system involves multiple software partitions that have access to their own portions of memory, physical devices, and also their own timeslice of the processor. Any memory faults that occur in a single partition cannot affect the memory of other partitions, and any time faults (e.g. application halt) will not affect the running of other partitions. This approach is very commonly used in safety-critical avionics applications, where cockpit space and size, weight, and power (SWAP) considerations are critical.

Medical Designs

Medical designs also already exist that use this approach and have reaped its benefits. For example, the international medical technology company Elekta (Norcross, GA) uses an open standards-based RTOS for current and future medical devices. Elekta specializes in systems for radiotherapy and radiosurgery that treat cancer and brain disorders. The Elekta Synergy image-guided radiation therapy system (Fig. 3) uses high-resolution imaging taken in 3D and at the time of treatment. The technology streamlines the processes of assessing patients and beginning treatment. It also gives surgeons up-to-date image data so they can target a higher proportion of an affected area while minimizing damage to surrounding healthy tissue.

Fig. 3 – Elekta based its Synergy image-guided radiation therapy systems on the LynxOS-SE partitioned OS to reap the benefits of partitioning in present and future development efforts.

The company’s current product development activities include a digital treatment control system that drives the digital linear accelerator range of products. For this technology, it is important that the company can quickly port its software applications across a variety of products to improve reliability and reduce time to market. For its new treatment system and subsequent generations of products, Elekta looked for a high-performing OS that had the additional requirement of hard partitioning to allow other applications to run concurrently without interfering with each other. To meet these criteria, Elekta chose an open standards-based system that uses POSIX technology: the POSIX-conformant LynxOS-SE.

The design of the new product using LynxOS-SE was undertaken by a small team of engineers at Elekta’s UK design center. The engineering team was experienced in real-time development and completed the design, including porting and writing of drivers, within their project timescales. The portability and open-standards aspects of LynxOS-SE were fundamental to achieving the short time-to-availability of the first prototype.

Another key team objective was to create a generic base on which to build future products. This platform will include radiotherapy systems and a number of other products that will make complex procedures faster and more effective. Because the future product strategy for Elekta will also consider some new hardware architectures based on 64-bit multicore technology (already supported by the LynxOS-SE OS), the portability of the code is not just across multiple systems; it can also follow new technologies as they emerge.

As medical devices become even more complicated, an extension to the partitioned OS is required for security, in order to prevent either the device or its stored patient information from becoming compromised.

Now, a new combination of partitioning and separation is joined by virtualization. This approach allows not just different applications, but different operating systems to reside on the same system for the varying tasks of communications, realtime operation, user interface, and so on. This multiplicity of OSes is accomplished by utilizing a hard-partitioned separation kernel and embedded hypervisor combination product.

A separation kernel is a small, lightweight OS that is the lowest- level connection to the processor. It provides secure partitions (Fig. 1) through which applications can run, and gives each partition access to both physical and virtual resources that the other partitions cannot access. When a separation kernel is combined with an embedded hypervisor, the ability to run multiple OSes together (while maintaining the separation between them) on the same hardware platform becomes a reality (Fig. 2). From the software perspective, the partitions are “virtual machines” that act as though they were independent devices. This partitioned virtualization architecture provides both safety and security between partitions, operating systems, applications, and physical devices.

These virtual machines (VM) help simplify overall system design. Developers working with the user interface, for instance, need not be concerned about their code’s impact on the system’s real-time operation if the two functions are in separate VMs. The separation even addresses vendor neutrality and design reuse. Application code based on an open source OS can run in its own virtual machine, and legacy code can be run in the environment for which it was developed. The LynxSecure product from LynuxWorks is an example of a separation kernel and hypervisor solution.

Both the partitioned OS and the separation kernel/hypervisor help simplify both current and future software development. They also help ensure safe operation and provide opportunities for using commercial software without being locked into specific vendors. Medical devices may become more complex, but software development should remain simple and functional.

This article was written by Robert Day, Vice President of Marketing for LynuxWorks, San Jose, CA. Contact Robert at This email address is being protected from spambots. You need JavaScript enabled to view it., or visit http://info.hotims.com/40429-164 .