Technology from SafeTTy Systems™
At SafeTTy Systems, we help our customers to develop software for embedded systems that are reliable, secure and safe using state-of-the-art “Time-Triggered” (TT) architectures that incorporate patented monitoring capabilities.
We provide an introduction to TT architectures on this page, with a focus on the development of systems in compliance with international safety standards.
[This page was last updated: 2019-01-16]
An overview of our approach
At SafeTTy Systems:
- we specialise in the engineering of very simple software designs for high-reliability / safety-related / safety-critical embedded systems;
- keeping the designs simple allows us to model them precisely (at design time) and monitor them closely (at run time);
- our modelling and monitoring process allows us to provide clear evidence that the systems we support will meet their requirements.
Many of our our customers apply our technology to build a complete ‘TT System‘.
In other cases, our customers use our technology to build a ‘TT Wrapper‘: this is a monitoring unit that is used to improve confidence in the safe operation of a (pre-existing) complex component or system.
Some of our customers build ‘bare metal‘ systems; others use our technology to integrate and monitor designs that incorporate a conventional ‘Real-Time Operating System‘ (RTOS).
We say more about the state-of-the-art TT software architectures that we support in the sections below.
TT vs. ET architectures
Two software architectures are used in embedded systems: these can be labelled as ‘event triggered’ (ET) and ‘time triggered’ (TT). The key differences between ET and TT systems arises from the way that the tasks are released.
For many developers, ET architectures are more familiar. A typical ET design will be required to handle multiple interrupts. For example, interrupts may arise from periodic timer overflows, the arrival of messages on a CAN bus, the pressing of a switch, the completion of an analogue-to-digital conversion and so on. To create such systems, the developer may employ a task to handle each event directly: this may involve creating an ‘interrupt service routine’ (ISR) to deal with each event. The developer may also decide to employ a conventional real-time operating system (RTOS) to support the event handling. Whether an RTOS is used or not, the end result is the same: the system must be designed in such a way that task releases – which may occur at ‘random’ points in time, and in various combinations – can be handled correctly.
The key advantage of ET designs is that they are easy to build. On the other hand, a key challenge with ET designs is that there may be a very large number of possible system states: this can make it difficult to verify that the system will always operate correctly.
The alternative to an event-triggered architecture is a time-triggered (‘TT’) architecture. When saying that an embedded system has a TT architecture we mean that it executes at least one set of tasks according to a predetermined schedule. The tasks must have: [i] well-defined functional behaviour, and [ii] well-defined timing behaviour. The schedule will determine the order of the tasks are released, the time at which each task is released, and whether one task can interrupt (pre-empt) another task.
In most cases, the starting point for the implementation of a TT design is a ‘bare metal’ software framework: that is, the system will not usually employ a conventional RTOS, Linux™ or Windows®. In the software framework, a single interrupt will be used, linked to the periodic overflow of a timer. A ‘polling’ process will then allow interaction with peripherals.
A key advantage of TT designs is that it is (compared with an equivalent ET design) easy to verify that the system will operate correctly.
For this reason, TT architectures are sometimes viewed as a ‘safer subset’ of a more general class of ET architectures (just as some people consider ‘MISRA C’ to be a safer subset of the C programming language).
Design for a range of simple TT systems are presented in the ‘PTTES’ book.
Monitoring TT systems at run time
A key reason for choosing to use a TT software architecture is that the resulting system will have deterministic behaviour: we can therefore model key characteristics such as the maximum CPU load, the response time and levels of task jitter.
Such models are necessarily based on various assumptions, including the following:
- we have operational peripherals on each processor;
- we can transfer data between tasks on the same processor without corruption;
- we can transfer data between processors without corruption;
- all the processors in our system are operating correctly;
- we are running the correct processor software on each processor;
- we have an operational scheduler on each processor;
- all the tasks on each processor are operating correctly;
- we know the ‘Worst-Case Execution Time’ (WCET) and ‘Best-Case Execution Time’ (BCET) of all tasks on each processor;
- we know the task execution sequence in each mode on each processor.
If we fail to meet any of these assumptions at run time, our models may not be valid and we cannot be sure how the system will behave in the field. We therefore need to incorporate mechanisms in our TT system that will allow us to test these assumptions at run time, and we need to consider what we will do if the system does not pass one or more of these tests.
The TT designs that we develop for our customers will typically employ a simple TT task scheduler supported by MoniTTor and PredicTTor mechanisms: these are patented monitoring components that were developed by the team at SafeTTy Systems.
As an example, the figure below gives an overview of a CorrelaTTor® platform (we pronounce it ‘correlator’).
In a CorrelaTTor platform, a single processor is employed with internal monitoring. For example, the combination of an ‘ASIL D’ microcontroller and CorrelaTTor software can provide a highly-effective means of meeting the requirements of ISO 26262 (up to ‘ASIL D’).
The figure below gives an overview of a DuplicaTTor (‘duplicator’) platform.
In a DuplicaTTor platform, two processors are employed (with cross-checks between them). For example, the combination of two ‘SIL 2’ microcontrollers and DuplicaTTor software can provide an effective means of meeting the requirements of IEC 61508 (up to ‘SIL 3’) and / or ISO 13849 (up to ‘PL e’).
Design of these platforms is discussed in detail in the ERES2 book.
Applying our technology: Design examples
In some cases, our customers use ReliabiliTTy technology to build a ‘TT Wrapper’: this is a monitoring unit that is used to improve confidence in the safe operation of a (pre-existing) complex component or system.
‘TT Wrappers’ can provide an effective means of improving confidence in the safety of an existing design prototype (even where the prototype was not developed in full compliance with the relevant international safety standards). Used appropriately, a TT Wrapper can help organisations bring initial products to market quickly and safely, in a cost-effective manner.
In other cases, our customers apply ReliabiliTTy technology to build a complete ‘TT System’.
Where practical, we recommend use of a fully-TT design (rather than a TT Wrapper) in situations where the organisation needs to improve confidence in the system reliability and robustness. In some cases, we find that our customers are exploring a TT Wrapper as a first design option, to be followed by a fully-TT system for the second-generation product release. Where required, we can assist with such a ‘Wrapper first’ development process.
We have released a set of design examples that illustrate the development of both TT Wrappers and TT Systems.
Applying our technology: Working with a conventional RTOS
The designs summarised in the previous section are sometimes called ‘bare metal’: in summary, this means that they do not involve use of a conventional ‘Real-Time Operating System’ (RTOS).
While bare-metal designs offer some advantages, our customers also use ReliabiliTTy technology in combination with an RTOS:
- in such designs, we can still implement a TT architecture, model the resulting design and use ReliabiliTTy technology to monitor the system at run time;
- this approach can be particularly effective as a means of integrating complex designs, and providing evidence that the system will operate correctly in the field.
Please contact us for further information about this approach.
ReliabiliTTy® Technology Licences
- Pont, M.J. (2018) “A framework as well as method for developing time-triggered computer systems with multiple system modes”, SafeTTy Systems Ltd, EU Patent No. 3,039,542.
- Pont, M.J. (2017) “A framework as well as method for developing time-triggered computer systems with multiple system modes”, SafeTTy Systems Ltd, US Patent No. 9,830,211.
- Pont, M.J. (2016) “A monitoring unit as well as method for predicting abnormal operation of time-triggered computer systems”, SafeTTy Systems Ltd, UK Patent no. 2,526,082.
- Pont, M.J. (2016) “A framework as well as method for developing time-triggered computer systems with multiple system modes”, SafeTTy Systems Ltd, UK Patent no. 2,526,083.
Further patents have been applied for.
In addition, RTLs allow use of the following technology and code examples (under the terms of the customer’s specific RTL):
- the ‘Time-Triggered Reference Designs‘ (TTRDs) and related techniques described in the ‘ERES‘ books;
- complete CorrelaTTor® and DuplicaTTor® code platforms (when provided as part of a SafeTTy Solutions™ package);
- the code examples and related techniques described in the ‘PTTES‘ book.
Do you need to create an embedded system that is reliable / secure / safe?
Our ReliabiliTTy Technology Evaluation Licence (RTEL) packages provide a highly cost-effective way of exploring the benefits that our state-of-the-art TT technology can provide for your business.
- include 2 days of one-to-one design support, helping to ensure that your team can prototype their first TT product successfully, at minimal cost;
- may also include our popular TTb Training Course (delivered on your company site).
Learn more about RTEL packages …
Olitek to employ ReliabiliTTy Technology from SafeTTy Systems in OzVader ventilators
Based in Australia, Olitek Pty Ltd (Olitek) specialises in the development of bespoke mobile machinery that incorporates automation and robotics. In response to the worldwide COVID-19 crisis (and to help prepare for possible future events of a similar nature), the team at Olitek and their partners are currently developing a range of low-cost ‘OzVader’ medical ventilators.
Based in the UK, the team at SafeTTy Systems Ltd (SafeTTy Systems) help their customers around the world to develop software for reliable and cost-effective medical systems, automotive systems (including autonomous vehicles), industrial control systems and related designs, in compliance with international safety standards. They do this by using ReliabiliTTy® Technology that integrates ‘Time-Triggered’ (TT) software architectures with patented run-time monitoring techniques. ReliabiliTTy Technology operates on low-cost, off-the-shelf microcontroller hardware: this helps to ensure that the resulting products have low unit costs.
Following recent discussions, the Olitek team will employ ReliabiliTTy® Technology from SafeTTy Systems in their next generation of ventilators.
James Oliver (MD, Olitek) comments: “The OzVader ventilator has been developed specifically to treat the global COVID-19 pandemic. It is designed to fulfil the needs of ICU clinicians and has safety of the patient at its forefront. By working with SafeTTy Systems, we will be able to meet our safety requirements while also ensuring that product costs can be minimised, thereby allowing us to make sure that these crucial devices can be made available wherever they are needed around the world.”
Michael J. Pont (CEO, SafeTTy Systems) comments: “We are very pleased to be able to help with this important project and look forward to working with Olitek and other members of the OzVader team.”
[6 June 2020]