PXROS-HR is an object-oriented Real-Time Operating System (RTOS) featuring a modern micro-kernel architecture designed for advanced multi-core MCUs.
The latest version enhances encapsulation and robustness through fine-grained hardware protection mechanisms (MPU) available on modern microcontrollers such as Infineon’s AURIX family.
Safety Certification and Integration
The PXROS-HR operating system for TriCore is officially TÜV-certified for use in safety-related applications up to SIL 3 (IEC 61508) and ASIL D (ISO 26262).
The certification, granted by TÜV Nord Systems GmbH & Co. KG, confirms its suitability for high-integrity and safety-critical applications.
Developed with the HighTec C/C++ compiler for TriCore/AURIX, PXROS-HR is ideal for industrial and automotive systems where safety is essential.
It integrates seamlessly with Infineon’s MCAL and SafeTlib frameworks, while remaining non-AUTOSAR based and optimized for the TriCore architecture with multi-core support for the AURIX family.
Real-Time OS Background
PXROS-HR (High Reliability) is the successor to the original PXROS micro-kernel, first developed in 1983 and deployed since 1985 across thousands of embedded devices.
The original PXROS design was guided by three key goals:
- Excellent interrupt behavior — no interrupt locking
- Clean, modular architecture
- Extreme robustness under heavy system load
Encapsulation and Reliability
A core design principle of PXROS-HR is encapsulation — each activity (task) runs in its own capsule and communicates only via message objects and signals.
This structure improves reliability and protects the system from unintended interference.
Tasks are isolated from one another, so a local fault cannot propagate system-wide.
For instance, tasks never use hard interrupt locks, ensuring predictable timing across the system.
Resource usage is local to each capsule, preventing global bottlenecks or deadlocks.
TriCore MPU Support
The PXROS API provides a complete set of services to implement encapsulated and secure task communication.
On AURIX MCUs, PXROS-HR leverages the Memory Protection Unit (MPU) to enforce these principles at runtime.
Illegal data access attempts are immediately detected by the MPU, which halts error propagation.
When a task is scheduled, PXROS-HR dynamically switches the corresponding MPU configuration.
This architecture allows reloading and debugging of tasks at runtime without stopping the system.
Developers can safely integrate safety-critical and non-safety-critical functions on the same AURIX chip with full isolation.
Tasks and Handlers
Many embedded systems require extremely fast responses to events. PXROS-HR achieves this through full interrupt transparency — the RTOS never locks interrupts or alters their state.
This enables warm start capability and makes it easy to migrate existing interrupt-based applications to PXROS-HR.
In PXROS terminology, handlers are user-defined interrupt service routines that can utilize a subset of PXROS services.
Handlers can send signals (events) to tasks, which are queued and executed before returning from interrupt level to task level.
This design ensures real-time responsiveness with minimal overhead.
Tasks and handlers operate under separate User Modes, controlled by the MPU for hardware-enforced protection.
PXROS-HR supports both static and dynamic configuration, allowing tasks to install or remove handlers at runtime.
Resource Control
To ensure system stability, PXROS-HR introduces resource quotas.
Each task maintains its own memory and object accounts, preventing local bottlenecks from affecting other subsystems.
Objects such as mailboxes, message objects, and memory classes are dynamically created from shared object pools and safely released when no longer in use.
This approach allows partially dynamic systems to operate without compromising safety or determinism, even under heavy runtime load.
Signaling and Communication
PXROS-HR enables interaction between handlers and tasks via events and message objects.
- Events are short bit-field messages that can be selectively awaited.
- Message objects contain both data and metadata and can be passed between tasks through mailboxes, ensuring atomic transfer of ownership.
Communication is asynchronous, and synchronization must be explicit.
With MPU-based protection, message data remains fully encapsulated — ensuring high security and integrity.
Time Management
PXROS-HR is fully event-driven and does not require a system tick for its internal operation.
However, it supports software timers via “delay-jobs,” enabling execution of user-defined functions after a specified time interval.
This flexible timing model minimizes jitter and supports time slicing where necessary.
Efficiency and Modern Performance
With today’s high-performance MCUs such as TriCore, PXROS-HR achieves strong encapsulation and data protection with minimal overhead.
The system supports advanced features like redundancy, voting, and diversity — even for high-speed control loops.
Training and Expert Support
Our team of RTOS experts offers:
- 1–2 hour web presentations for deeper insights or Q&A sessions
- 2-day on-site PXROS-HR training, optionally combined with Infineon’s MCAL or SafeTlib courses
These sessions help development teams accelerate integration and maximize reliability in their applications.
