Modern embedded systems are often designed to meet both  safety-critical and non-safety-critical requirements concurrently, balancing diverse functional and certification needs within a unified platform. While safety-critical parts must continue to satisfy stringent reliability and regulatory standards, the non-safety-critical parts are increasingly expected to deliver higher functionality and improved performance at minimal cost. Simultaneously, security requirements across all system components are becoming significantly more demanding, driven by regulations such as the EU Cyber Resilience Act (CRA) and industry standards like IEC 62443. To efficiently address these diverging demands, mixed-criticality system design has become a widely adopted and  practical approach.  

Emerging platforms such as the TI~AM6442 embedded processor offer cost-effective solutions for such systems, providing two 64-bit ARM Cortex-A53 cores, four Cortex-R5F cores, an integrated network switch (CPSW), and specialized network-oriented DSPs (PRU). However, despite the availability of capable hardware platforms, designing and  implementing mixed-criticality systems remains a demanding task. Developers must carefully manage complex interactions between safety,  performance, and security domains while ensuring system integrity and regulatory compliance. To support this challenging development  process, well-defined guidelines, best practices, and architecture templates are essential.  

This presentation will demonstrate how an existing safety-certified system -- originally built using multiple microcontrollers running SAFERTOS, alongside additional network-connected embedded devices for Human-Machine Interface (HMI), fieldbus communication, and non-safety-related control tasks -- can be efficiently consolidated into a single mixed-criticality platform based on the TI AM64442. In addition to system consolidation, further improvements include migrating from a proprietary fieldbus to Time-Sensitive Networking (TSN) to enable more standardized, deterministic communication, as well as achieving compliance with IEC~62443 to meet the increasing cyber-security requirements.  

The system design showed here is divided into several zones:  

1. Safety Zone
2. Network Zone
3. Configuration and Control Zone
4. TSN Zone  

Each zone is implemented using different approaches:  

Safety Zone:    

This zone runs on SAFERTOS, utilizing the four Cortex-R5F cores. Communication between the cores is facilitated through shared memory, which is divided into a Read-Write section and a Read-only   section. A doorbell mechanism is established using the integrated mailbox functionality. The shared memory is organized as a ring buffer, and VirtIO -- a common mechanism for interaction between virtual machines -- enables communication within the "Safety Zone" and with other zones. This zone is configured for exclusive access to safety-related peripherals.  

Network Zone:    

This zone operates on IGLOS, a Debian-based Linux distribution optimized for cyber-security and validated in an IEC 62443 certified product. It manages all network capabilities except for TSN-related traffic and oversees HMI and UI activities. The zone runs in a restricted virtual mode, maintained by the Jailhouse hypervisor, with minimal peripheral access. Communication with other zones occurs through shared memory using VirtIO, and inter-zone signaling is achieved via inter-processor interrupts (IPI). One Cortex-A53 core is dedicated to this zone, which operates entirely in memory and network filesystem without access to physical block devices.  

Config & Control Zone:    

This zone is the controlling heart of the system. All realtime applications run in this zone. Beside that, it initiates the Jailhouse hypervisor and acts as the central connection point. It provides the network filesystem for the "Network Zone" and manages access to physical block devices and process TSN traffic from and to the "TSN Zone". While it also uses IGLOS, it is configured differently to meet control timing requirements, utilizing a preempt-RT enabled Linux kernel. This zone is responsible for system updates and has access to a Trusted Platform Module (TPM) and secure memory chip.  

TSN Zone:    

Implemented in bare metal on the PRUs, this zone is a network accelerator for all TSN-related traffic. Media Access Control Security (MACsec) is employed in this zone to secure network communications. Frame Replication and Elimination for Reliability (FRER) as defined in IEEE 802.1CB is handled here. The PRUs manage TSN network timing, while the internal switch ensures the TSN network is protected from unsolicited traffic from the "Network Zone". Network access is controlled by the CPSW, and verified TSN traffic is forwarded to the "Configuration and Control Zone" via shared memory and VirtIO, with PRU interrupts serving as the doorbell mechanism.  

The system boot process is critical for both safety and security considerations. It employs a modified U-Boot-based secure boot along with integrated encryption, integrity, and verification mechanisms in Linux. A robust, multilayered secure update scheme is implemented using SWUpdate, ensuring the reliable and authenticated delivery of software updates. This approach is crucial for maintaining the security, integrity, and resilience of connected devices, especially  in light of the stringent requirements set forth by the CRA, which underscores the necessity of timely and secure software updates to mitigate vulnerabilities and uphold regulatory compliance throughout  the product lifecycle.  

Shifting focus from technical aspects to the system's lifecycle, IGLOS is utilized in various configurations across the Linux systems within the design. As a Debian-based distribution, IGLOS offers security tracking and system updates throughout the project's lifespan, along with security documentation related to the IEC 62443 certification. Its foundation on the widely-used Debian project ensures a high level of integration with available software packages. In addition to internal software audits, Debian bug tracking, and CVE  monitoring, IGLOS maintainers are part of the FOSS ecosystem.  

By meeting the dual challenges of stringent safety and security requirements within an integrated and cost-efficient platform, the proposed mixed-criticality architecture paves the way for more reliable, scalable, and economically viable solutions in future critical system designs 

Co-author: 

• Dr. Florian Kauer, Linutronix GmbH

Short Bio:

Benedikt Spranger has been professionally involved with Linux since 1996. He has been working for the company Linutronix since 2006. There he specializes in Linux-based board support packages, real-time applications, and linux kernel development.

Thursday, September 25, 4.00 PM