How to meet IEC 61508 ‘SIL 3’ requirements with two low-cost MCUs
We receive many enquiries from organisations that need to meet IEC 61508 (SIL 3) requirements.
On this page, we present- in outline – a simple TT software framework that can be used to meet these requirements using two low-cost MCUs.[This page was last updated 2017-08-31]
1. Select your TT Platform
A wide range of different TT Platforms can be employed in safety-related embedded systems.
Some examples are shown in the table below (which is adapted from ‘ERES2‘):
In the IEC 61508 design that we are considering in this example, Hardware Fault Tolerance (HFT) is a key consideration.
When we have an HFT of 0, this means that we have only a single processing path available: if this fails, our goal must be to ensure that the system can enter a Fail-Safe State. When we have an HFT of 1, we have a second processing path available: if one processing path fails, we may be able to continue operating the system (at least for a while), possibly in a Limp-Home Mode.
Because of the emphasis on HFT in IEC 61508, developers of systems that must comply with this standard tend to focus on the use of designs with two MCUs (with HFT = 1). In many cases, the design will also employ ‘SIL decomposition’: what this means in practice is that a ‘SIL 3’ design is often based on a hardware platform that is assembled from two ‘SIL 2’ microcontrollers (MCUs).
In keeping with this focus, the design notes presented on this page assume that the system will be based on ‘DuplicaTTor®-A’ Platform, based on two ‘SIL 2’ MCUs (each with an appropriate Safety Manual).
For example, our DuplicaTTor Evaluation Boards incorporate two STMF405 MCUs.
Other options are available: the software architecture presented below can be employed with any pair of ‘SIL 2’ MCUs.
2. Start your design with a TT software framework
TT software architectures provide a simple and cost-effective way of meeting IEC 61508 requirements.
- TT architectures are “Highly Recommended” for systems of Safety Integrity Level (SIL) 2 or above. [IEC 61508-3 (2010), Table A.2]
- Use of a TT architecture “Greatly reduces the effort required for testing and certifying the system” [IEC 61508-3 (2010), Table C.1]
- Static synchronisation of access to shared resources – a key characteristic of all TT designs — is “Recommended” (SIL3) / “Highly Recommended” (SIL4) [IEC 61508-3 (2010), Table A.2]
- Limited use of interrupts – a defining characteristic of TT designs – is “Recommended” for SIL1 and SIL2 systems and “Highly Recommended” for SIL3 and SIL4 systems. [IEC 61508-3 (2010), Table B.1]
As we noted above, the design presented here is based on what is known as a DuplicaTTor®-A Platform. This Platform allows us to link together the processing on the two MCUs in a highly-deterministic manner (that can be easily modelled).
The architecture of this Platform is illustrated below.
The DuplicaTTor Platform outlined on this page is discussed in detail in the Second Edition of the book ‘The Engineering of Reliable Embedded Systems’ (ERES2).
Complete (and fully documented) code for a DuplicaTTor-A Platform is provided with our DuplicaTTor Evaluation Board packages.