Industrial monitoring system (IEC 61508, SIL 2)

On this page, we explore the design of part of a fire and gas monitoring system for use in an industrial setting.

This system is to be developed in compliance with IEC 61508 (SIL 2).

Our design is based on a ‘Time Triggered‘ (TT) software architecture.

We begin by looking briefly at some of the links between TT systems and IEC 61508.

[This page was last updated: 2017-08-31]



TT software architectures

You’ll find an introduction to TT software architectures on our Technology page.



TT software architectures and IEC 61508

TT software architectures provide a strong foundation for robust and cost-effective IEC 61508 designs.

For example, TT architectures are “Highly Recommended” for systems of Safety Integrity Level (SIL) 2 or above. [IEC 61508-3 (2010), Table A.2]

Static synchronisation of access to shared resources – a key characteristic of all TT designs — is “Recommended” (SIL3) / “Highly Recommended” (SIL4) [IEC 61508-3 (2010), Table A.2]

Limited use of interrupts – a defining characteristic of TT designs – is “Recommended” for SIL1 and SIL2 systems and “Highly Recommended” for SIL3 and SIL4 systems. [IEC 61508-3 (2010), Table B.1]



Design of a sounder unit for an industrial alarm system: Overview

In this example, we will consider the development of a sounder unit (we’ll simply refer to it as the “Sounder”) for use as part of an industrial monitoring system (IMS). The unit is to be used to sound an alarm if a fire, gas leak or another potential hazard is detected by the IMS.

In this study we are concerned only with the Sounder unit.


There are likely to be a number of Sounder units in each IMS. Each Sounder unit will (we assume) be connected to a dedicated CAN bus.

We assume that the system will be required to have an operational life of 20 years.

We assume that the unit will be replaced (or repaired) within 8 hours of a fault being detected.

In this design, we assume that a CorrelaTTor® platform will be employed (specifically, a CorrelaTTor-B platform).

The architecture of this platform is illustrated below:

The resulting system architecture will then be as illustrated here:



Read the complete case study in ‘ERES2’

The Second Edition of ‘The Engineering of Reliable Embedded Systems’ (ERES2), documents an industry-proven approach to the development of software for reliable, real-time embedded systems, based on the use of ‘Time Triggered’ (TT) architectures.

What distinguishes TT approaches is that it is possible to model the expected system behaviour precisely. This means that: [i] during the development process, we can demonstrate that all of the requirements have been met; and [ii] at run time, we can detect problems very quickly.

The end result is that we can have a high level of confidence that a TT system will either: [i] operate precisely as required; or [ii] move into an appropriate state if a problem occurs.

The above characteristics mean that appropriately-implemented TT systems provide a particularly effective means of meeting the requirements of various international safety standards.

Case studies

In order to illustrate how the TT techniques presented in ERES2 can be employed in practical designs, five detailed case studies are included. These studies describe the development of embedded control and monitoring systems for the following products:

  • an industrial alarm sounder unit (IEC 61508, SIL 2);
  • a domestic washing machine (IEC 60730, Class B);
  • a hospital radiotherapy machine (IEC 62304, Class C);
  • a steering-column lock for a passenger car (ISO 26262, ASIL D);
  • an aircraft jet engine (DO-178C, Level A).

Learn more about ‘ERES2’.