Secure virtualization technology for medical devices.

Medical devices have traditionally relied on advanced hardware technology to provide the majority of the application-specific features for a given device function. Today, medical devices are becoming more connected, and the multifunction software that runs on devices is more complex and more often a key differentiator in the success of the product. In addition, manufacturers must design a user-friendly interface (for home use) and provide field-upgradable units. These design elements lead to the use of off-the-shelf software components that are more commonly found in consumer devices and computers in the home.

This article looks at some of the embedded software technologies that can be used today to create medical devices to meet these new demands, including a real-life example of a company that creates leading-edge medical products using key software technologies. It will also look at how the medical industry can take advantage of emerging hardware and software technologies that help bring embedded and traditional computer systems together.

Complex Needs
As medical devices increase in functionality, there is a need for more robust and complex embedded software components. Technologies that connect devices in the outside world, such as networking or USB, typically need a software stack to enable them. These software stacks usually rely on an operating system (OS) to ensure that the data sent to the device do not lose information when the device is busy with other tasks. The more complex the software stacks, the more the OS moves from a simple real-time OS (RTOS) to a fully functioning OS. However, many medical devices still require the real-time reliability of an RTOS to ensure that patient communication is not compromised by communication with the outside world. Most commercial RTOSes won’t provide just the OS but also many of the stacks that are required to communicate with external devices, so an embedded developer can design the software that is required to power and differentiate the medical device.

However, using a commercial OS can be considered too close to a lock-in with a given commercial OS vendor. As a result, many medical device manufacturers turn to an open-source OS, because it offers a good compromise between functionality, cost, and vendor neutrality. For example, an OS such as Linux has a good track record in medical devices. Linux, however, is not the answer to all medical device software requirements. It is large in footprint, often requiring extra memory and cost for the embedded device, and does not always have the real-time determinism needed for medical devices that capture or process a lot of real-time data. Linux is very reliable when compared with other desktop OSes, but it doesn’t have the safety critical pedigree that can be found in RTOSes that have been used in applications in the avionics, automotive, or industrial control industries. Developers who are looking for size, performance, and pedigree without compromising the vendor neutrality and reuse options that Linux provides can also use open standards–based commercial RTOS products.

An RTOS based on open standards, such as POSIX (portable operating system interface), offers an alternative to using an open-source OS. POSIX is an open-operating interface standard that places certain requirements on aspects of the OS such as signals, calls, and management of processes and threads. The functionality that such an OS offers is very similar to Linux, because it provides the software stacks that are required to connect the medical device to the outside world and allow applications written for Linux to be easily migrated with a simple recompile. The open standard interface also eases the future portability of code written on it and avoids the vendor lock-in threat of using an RTOS with a proprietary interface. The big advantages that an open standard–based RTOS provides is a real-time pedigree that offers determinism and reliability, and a safety-critical background that is not found in an open-source OS.

Using Open Standards–Based RTOS
The international medical technology company Elekta uses an open standards–based RTOS for current and future medical devices. It bases its new generations of equipment on the POSIX-based LynxOS-SE from 
LynuxWorks.
Elekta specializes in systems for radiotherapy and radiosurgery that treat cancer and brain disorders. The Elekta Synergy image-guided radiation therapy system uses high-resolution imaging taken in 3-D and at the time of treatment. The technology streamlines the processes of assessing patients and beginning treatment. It also gives surgeons up-to-date image data so they can target a higher proportion of an affected area while minimizing damage to surrounding healthy tissue.

The company’s current product development activities include a digital treatment control system that drives the digital linear accelerator range of products. For this technology, it is important that the company can quickly port its software applications across a variety of products to improve reliability and reduce time to market. For its new treatment system and subsequent generations of products, Elekta looked for a high-performing OS that has the additional requirement of hard partitioning to allow other applications to run concurrently without interfering with each other. To meet these criteria, Elekta chose an open standards–based system that uses POSIX technology. Since LynxOS-SE is POSIX-conformant and supports the POSIX.1 standard in its entirety, Elekta has a RTOS to port software between platforms in future projects.

Figure 1. A company used the LynxOS-SE partitioned OS during the design of a new product.

The design of the new product using LynxOS-SE was undertaken by a small team of engineers at Elekta’s UK design center (see Figure 1). The engineering team was experienced in real-time development and completed the design, including porting and writing of drivers, within their project timescales. The portability and open-standards aspects of LynxOS-SE were fundamental to achieving this short time-to-availability of the first prototype. Another key team objective was to create a generic base on which to build future products. This platform will include radiotherapy systems and a number of other products that will make complex procedures faster and more effective.

Because the future product strategy for Elekta will also consider some new hardware architectures based on 64-bit multicore technology (already supported by the LynxOS-SE OS), the portability of the code is not just across multiple systems; it can also follow new technologies as they emerge. The LynxOS-SE OS is also ready to be used in future generations of virtualized hardware platforms.

Device Virtualization
The idea of making medical devices virtual may seem a little strange, but the virtualization of the software that runs on medical devices can benefit future device platforms. The virtualization of OSes has been widely used in server and data center applications, and is becoming a driver for using software applications in cloud computing. Virtualization also has some interesting potential for increasing functionality, usability, and security in embedded systems—especially for medical systems. For an example of secure software virtualization, see the sidebar “Secure Virtualization.”

Traditional OSes and RTOSes may suffice when it comes to connecting devices and running multiple applications simultaneously. However, when a single device needs to have a complex and familiar GUI similar to a desktop machine and still have the real-time determinism of an RTOS, there is a compromise that neither a desktop OS or an RTOS can accomplish well. Enter virtualization. By running multiple virtualized OSes on a single system, a user interface can be developed that uses a traditional desktop OS such as Microsoft Windows, while the real-time patient information component uses a traditional RTOS, such as LynxOS-SE. This case relies on a virtualization system that has real-time properties and introduces the use of a separation kernel and embedded hypervisor combination product.

A separation kernel is a small, lightweight OS that is the lowest-level connection to the processor. It provides secure partitions through which applications can run, and each partition is given access to both physical and virtual resources that the other partitions cannot access. The separation kernel does not offer traditional OS features such as disk or network access, but it manages scheduling and memory functions, as well as which physical devices (disks, graphics, network, etc.) are available to each partition. When a separation kernel is combined with an embedded hypervisor, the ability to run multiple OSes together (while maintaining the separation between them) on the same hardware platform becomes a reality.
Embedded hypervisor technology can offer different schemes for the virtualization of a guest OS. A paravirtualized guest OS is modified to work more closely with the underlying hypervisor. It can offer better performance on processors with virtualization support as it is optimizing how the OS and the hypervisor will work in concert with one another and with the underlying processor. This paravirtualization scheme is often used for RTOS virtualization where performance and determinism is key. For an OS where no modification is possible or where real-time performance is not required, the hypervisor can provide a full virtualization scheme. This scheme presents a virtual view of the underlying hardware that looks identical to a real hardware platform; thus the guest OS is fooled into thinking it is running on a real hardware platform.

This software partitioning and hypervisor virtualization also helps in the consolidation of hardware that is of particular interest in many medical scenarios. By running separate systems in their own partitions and allowing for different OSes and applications to be run in those partitions, there can be a true consolidation of physically separate systems to a single physical piece of hardware.

Because the separation kernel and embedded hypervisor are designed for use in embedded real-time systems, an RTOS can run on the same physical system as a traditional desktop OS without compromising the determinism of the RTOS or the functionality of the desktop OS. A key feature of this embedded virtualization is the built-in security provided by the separation kernel. It gives different OSes and their applications access to different devices on the same system. For example, any applications running on the Windows OS, including potential malicious attacks, cannot interfere with the real-time system unless explicitly allowed (like the control application). As a result, patient-sensitive information and devices are protected from the outside world.

Conclusion
Advanced embedded software technologies offer improved connectivity and security for medical devices. These specialized OSes and any applications running on top of them remain unchanged between the stand-alone version and the virtualized version, allowing for seamless migration to a virtualized medical platform. This interface gives medical device companies the ability to migrate their existing applications onto systems that now have desktop functionality and connectivity with a port, and without compromising the security of their medical devices.

Robert Day is vice president of marketing at LynuxWorks Inc. (San Jose).

Featured Image: