The job of developing an embedded system for use in a medical device can be especially challenging. Developers in the medical field, like their counterparts elsewhere, must deal with tight schedules, stingy budgets, and lengthy requirement lists. However, developers of medical devices also must overcome a variety of industry-specific obstacles, many relating to the myriad rules and regulations that govern such devices.
As a result of the medical field’s regulatory environment, developers in this field tend to avoid many practices that are common amongst developers of non-medical products. One such practice is the use of a real‐time kernel. In the eyes of a large number of embedded systems developers, a kernel is a relatively low‐risk means of writing powerful, multitask applications. To a developer focused on the strictures of the medical realm, however, a kernel means little more than additional code and additional cost.
Unquestionably, medical products represent a unique case for kernel use. The additional risks faced by developers of medical devices who wish to use a kernel mostly involve the medical field’s regulatory environment, however. Kernel behavior is essentially the same in devices of all sorts.
Real‐Time Kernel Basics
One way to view a real‐time kernel is as a framework for developing multitask applications. When such a framework is unavailable, developers typically write their application code around a single infinite loop. A pseudocode example of this sort of loop is provided in Figure 1.
Figure 1: A simple approach to application design is to use an infinite loop
Since it consists of functions that are called in a fixed sequence, a loop, by itself, is not suitable for applications requiring quick responses to events. If, for example, USB data were received immediately after the example loop’s call to USB_Packet(), the data would not be processed until the subsequent call to that function. In other words, there would be a delay nearly as long as the execution time of the entire loop. To avoid this type of delay, developers augment their loops with interrupt service routines (ISRs).
Applications that incorporate a loop along with ISRs are typically referred to as foreground/background systems. The ISRs (or the foreground) execute whenever hardware needs urgent attention, and the loop (or the background) fills in the gaps. Foreground/background systems are used in a wide range of products, including medical devices, and there are plenty of developers who never take any other approach to writing application code.
Despite this popularity, the foreground/background model is not without its problems. Many of these problems become apparent when the need to expand an application arises. The example loop shown in Figure 1 might initially meet all of its developers’ needs; however, the expansion of this loop by just one function call, as shown in Figure 2, could be problematic. If the newly added function, Ethernet_Packet(), were lengthy, it might prevent other functions in the loop from being invoked at a suitable frequency. The SPI function, SPI_Read(), for example, might fail to read data at an appropriate rate following the expansion.
Figure 2: Expansion of a foreground/background system can be difficult
Most developers’ reaction in this situation would be to move SPI_Read(), and any other functions no longer able to meet their deadlines, to the foreground. However, a cluttered foreground can present just as many problems as a bloated background. On some microcontrollers, the execution of an ISR prevents not only background code from running, but also the code of other ISRs. Even on microcontrollers that support nested interrupts, at least a portion of the system’s interrupts are typically disabled while an ISR is running. Although a prioritized interrupt controller can provide some assistance for developers who have a large number of ISRs, code written around such controllers is often not portable or easy to maintain.
A real‐time kernel offers remedies to many of the problems that can plague a growing foreground/background system. At the foundation of any kernel‐based application are tasks, two examples of which are shown in Figure 3. Unlike the different functions called by a foreground/background system’s loop, the tasks in a kernel‐based application do not execute in a fixed sequence. Each task is assigned an importance, or priority, by its developer, and the kernel uses this priority to determine when the task should run.
Figure 3: Kernel‐based applications are made of tasks
The loop is not the only aspect of a foreground/background system for which a kernel offers improvements; kernels also provide more flexibility with respect to handling interrupts. In a kernel‐based application, interrupts are tied to scheduling. Accordingly, an application developer who uses a kernel can write ISRs that make tasks run.
An example kernel‐based ISR is shown in Figure 4. The line in the ISR reading “Signal USB task” would correspond to a kernel function call in an actual application. This call could be used to notify the task of an available USB packet and to enable the task to run. Based on the call, the kernel could conclude the ISR by switching to the signaled USB task, instead of returning to the task that was originally interrupted.
Figure 4: ISRs in a kernel‐based application are capable of signaling tasks
The ability to signal tasks from ISRs is important, because it allows developers to keep ISRs brief without sacrificing performance. In a foreground/background system, code that has been moved from the foreground to the background must wait its turn to execute, just like everything else in the background.
In a kernel‐based application, however, signaling can be used to write tasks that promptly respond to events, such as the reception of a USB packet. There are multiple data structures through which a kernel can implement signaling, but the most common is probably the semaphore. Essentially, a semaphore is a counter that tracks the occurrence of events: a zero value corresponds to no activity, while a non‐zero value means that events have taken place. This data structure is managed not by application code but by the kernel and is tied to the kernel’s scheduling mechanisms. If a task calls a kernel function to wait on a particular semaphore and that semaphore’s counter has a zero value (meaning that the event associated with the semaphore has not yet occurred), then the kernel begins running other tasks.
Semaphores and other data structures used for signaling are part of a kernel’s synchronization services.
The primary job of a kernel is to manage tasks, but most kernels also offer a variety of other services. In addition to synchronization, these services typically include inter‐task communication (which often involves providing queues for message passing) and mutual exclusion. Together, the services allow developers to use a kernel to put together robust multitask applications.
Considerations for Developers of Medical Devices
The various services common to real‐time kernels are available to developers of practically any type of product. In determining if a kernel would meet their needs, though, developers in the medical field must weigh the benefits that these services could bring against risks that don’t exist in every other industry. Perhaps the most obvious potential downside to kernel use in a medical product is the need for additional certification work. Typically, the software used in a medical device is required to undergo a certification process that involves extensive testing. The cost of this process is commensurate with code size; the addition of more code in the form of a kernel means more money must be spent on certification.
If kernel use necessarily entailed going through the complete certification process for an entire kernel, then many developers might be better off taking their chances with a foreground/background system. However, a handful of the commercial real‐time kernels that are currently available to developers have a history of use in medical devices. Accordingly, these kernels have already been through the certification process, and the documents that would be needed in order for them to again be used in a medical product have already been generated. By selecting one of these kernels, developers can avoid uncertainties relating to certification efforts.
Beyond certification, an issue that should be examined by developers of medical devices who are deciding whether or not to use a kernel is code complexity. In particular, developers addressing the question of kernel use should consider how many different features their application will incorporate and how many peripheral devices their code will be responsible for managing. Modern medical devices can be incredibly complex; a device used primarily for taking patient measurements might also be capable of displaying the results of the measurements on an LCD, storing patient data on a USB flash drive, and communicating with a hospital via TCP/IP. A kernel, by enabling developers to easily divide these responsibilities amongst different tasks, affords a means of managing the complexity.
For developers of battery‐powered medical devices, power management is an issue that is just as important, if not more so, than code complexity and management of peripheral devices. A kernel can be highly useful in projects demanding power efficiency, in part because of the multitask structure of a kernel‐based application. In a foreground/background system, code enabling a transition to a low‐power mode may need to be inserted at multiple locations where the application waits for data or for an event to occur. In a kernel‐based application, though, the low‐power code is typically needed in just one task: the idle task that the kernel executes when no application tasks are able to run. Most kernels provide some sort of hook function that allows developers to easily customize the idle task with their power‐management code.
The benefits of kernel use, including assistance in dealing with complexity and managing power, are not always obvious. However, any developer who has struggled to implement a high‐performance, full‐featured product around a foreground/background system knows that this application structure is not suitable for all projects. Even in the highly regulated medical field, a real‐time kernel can help developers avoid the problems associated with foreground/background systems.
Although most kernels provide somewhat similar services, only a few of the kernels currently available to developers are suitable for medical applications. The kernels belonging to this select group have a history of use in medical devices, and have undergone the rigorous testing required to certify software for such devices. Developers who chose such a kernel substantially increase their odds of completing their next medical project on schedule and under budget.
About the author:
Matt Gordon is a senior applications engineer at Micrium. He has several years of experience developing kernel ports, device drivers, and example applications for Micrium’s customers. Drawing on this experience, Matt has written multiple articles on embedded software. Additionally, he has led Micrium’s training program since its inception. Matt holds a bachelor’s degree in computer engineering from Georgia Tech. This article is based on some of the material he will provide for his half-day tutorial (ESC- 214) on Tuesday at the Embedded Systems Conference in Boston, Ma.