TTRDs associated with the ‘ERES2’ book

eres2_front_220
Various ‘Time-Triggered Reference Designs’ (TTRDs) can be downloaded from this page.

Used in conjunction with the ‘ERES2‘ book, these code examples are designed to illustrate ways in which TT software architectures can be used to support the development of a wide range of reliable embedded systems.

Conditions of use

These public TTRDs are primarily intended to be used during training courses delivered by SafeTTy Systems or by Microdevice Technologies (our Training Partner in India) or by Swift Act (our Training and Development Partner in Egypt).

The public TTRDs downloaded from this website may also be used without charge: [i] by universities and colleges in courses for which a degree up to and including “MSc” level (or equivalent) is awarded; [ii] in non-commercial projects carried out by individuals and hobbyists.

Use of these TTRDs in any form of commercial project (including training courses delivered by organisations other than SafeTTy Systems or Microdevice Technologies or Swift Act) or in university research projects (including PhD-level programmes and equivalent) requires purchase of an appropriate ReliabiliTTy® Technology Licence.

Please contact us if you have any questions about these licence arrangements.

ReliabiliTTy Technology Evaluation Licences

Many of our new customers purchase a low-cost ReliabiliTTy Technology Evaluation Licence (RTEL) package as a means of exploring our technology and developing their first TT design.

RTEL packages allow use of our technology – including our public TTRDs – in prototype designs.

Learn more about RTEL packages …

SafeTTy Solutionspackages

In commercial projects, most of our customers employ complete code platforms that are provided as part of a SafeTTy Solutions package.

As an example, the figure below gives an overview of a CorrelaTTor® TT platform (we pronounce it ‘correlator’).

empty_space

empty_space

In a CorrelaTTor platform, a single processor is employed with internal monitoring (using MoniTTor® and PredicTTor® components). For example, the combination of an ‘ASIL D’ microcontroller and CorrelaTTor software can provide a highly-effective means of meeting the requirements of ISO 26262 (up to ‘ASIL D’).

In order to demonstrate that a product is compliant with an international safety standard such as IEC 61508 or ISO 26262, organisations will typically work with an independent third-party assessor (such as exida®).  In our experience, teams generally don’t like writing the extensive documentation that is required to support such a process (and often do this rather badly, leaving significant gaps that have to be addressed by expensive and time-consuming re-submissions). 

To assist with this process, we provide extensive documentation for our CorrelaTTor platform: this amounts to around 1000-1200 pages, spread over 12 documents.

  • customers using this platform typically follow the same structure (and re-use some of the contents) when documenting their product design for a third-party assessor;
  • by providing document templates (and in many cases document contents), we have found that we can significantly reduce the time required by our customers to prepare a case for third-party assessment (by around 6 months per product in our experience).

Learn more about SafeTTy Solutions packages …

[This page was last updated: 2023-11-24]

empty_space

TTRD2-02a [STM32F091 target, Keil uVision project]

empty_space

Latest version is ttrd2-02a-t0091a-v001c (zip file) [Release 2017-02-24a].

This TTRD targets an STM32F091RC MCU. It is designed to run on Nucleo-F091RC board. No external crystal assumed.

TTRD2-02a implements a simple ‘TTC’ scheduler design.

See ‘ERES2‘ Chapter 2 for details.

Reviewing TTRD2-02a is a good way to begin exploring TT designs. This introductory design is documented in the sample chapters for the ERES2 book: these can be downloaded (free of charge) from the ERES2 page.

empty_space

empty_space

empty_space

TTRD2-03a [STM32F401 target, Keil uVision project]

empty_space

Latest version is ttrd2-03a-t0401a-v001a (zip file) [Release 2017-02-24a].

This TTRD targets an STM32F401RE MCU. It is designed to run on a Nucleo-F401RE board. An external 16 MHz xtal is assumed to be present.

TTRD2-03a implements a simple TTC demo system with UART (Buffered Output) library.

Please see ‘ERES2‘ Chapter 3 for further information.

empty_space

empty_space

TTRD2-04a [STM32F401 target, Keil uVision project]

empty_space
Latest version is ttrd2-04a-t0401a-v001a (zip file) [Release 2017-08-21a].

This TTRD targets an STM32F401RE MCU. It is designed to run on a Nucleo-F401RE board. An external 16 MHz xtal is assumed to be present.

TTRD2-04a illustrates the use of Duplicated Variables.

Please see ‘ERES2‘ Chapter 4 for further information.

empty_space

empty_space

TTRD2-05a [STM32F401 target, Keil uVision project]

empty_space

Latest version is ttrd2-05a-t0401a-v001a (zip file) [Release 2017-08-21a].

This TTRD targets an STM32F401RE MCU. It is designed to run on a Nucleo-F401RE board. An external 16 MHz xtal is assumed to be present.

TTRD2-05a illustrates the use of register configuration checks.

Please see ‘ERES2‘ Chapter 5 for further information.

empty_space

empty_space

TTRD2-06a [STM32F405 target (DuplicaTTor board), Keil uVision project]

empty_space
Latest version is ttrd2-06a-t0405a-v001a (zip file) [Release 2017-08-18a].

This version of TTRD2-06a targets an STM32F405 MCU. It is intended for use with a DuplicaTTor board.

TTRD2-06a illustrates the use of Backup Tasks.

In the demo, two ‘Heartbeat’ tasks are implemented.

When ‘Heartbeat 1’ fails, ‘Heartbeat 2’ takes over. When ‘Heartbeat 2’ fails, the systems enters a fail-safe state.

The example is very simple, but the underlying architecture can be widely applied.

See ‘ERES2‘ Chapter 6 for details.

empty_space

empty_space

TTRD2-08a [STM32F401 target, Keil uVision project]

empty_space
Latest version is ttrd2-08a-t0401a-v001a (zip file) [Release 2017-08-21a].

This TTRD targets an STM32F401RE MCU. It is designed to run on a Nucleo-F401RE board. An external 16 MHz xtal is assumed to be present.

TTRD2-08a illustrates the use of reset-based Mode changes.

Please see ‘ERES2‘ Chapter 8 for further information.

empty_space

empty_space

empty_space

empty_space

TTRD2-08b [STM32F401 target, Keil uVision project]

empty_space
Latest version is ttrd2-08b-t0401a-v001a (zip file) [Release 2017-08-22a].

This TTRD targets an STM32F401RE MCU. It is designed to run on a Nucleo-F401RE board. An external 16 MHz xtal is assumed to be present.

TTRD2-08b illustrates techniques for changing Mode in the event that an Abnormal Processor State is detected at run time.

Please see ‘ERES2‘ Chapter 8 for further information.

empty_space

empty_space

empty_space

empty_space

TTRD2-08c [STM32F401 target, Keil uVision project]

empty_space
Latest version is ttrd2-08c-t0401a-v001a (zip file) [Release 2017-08-22a].

This TTRD targets an STM32F401RE MCU. It is designed to run on a Nucleo-F401RE board. An external 16 MHz xtal is assumed to be present.

TTRD2-08c illustrates techniques for changing Mode in the event that an Abnormal Processor State is detected at run time. The focus of the example is on the use of Same-Mode Resets.

Please see ‘ERES2‘ Chapter 8 for further information.

empty_space

empty_space

empty_space

empty_space

TTRD2-08d [STM32F405 target (DuplicaTTor board), Keil uVision project]

empty_space
Latest version is ttrd2-08d-t0405a-v001a (zip file) [Release 2018-06-07a].

This version of TTRD2-08d targets an STM32F405 MCU. It is intended for use with a DuplicaTTor board.

TTRD2-08d illustrates the use of ‘manual’ (reset free) Mode changes.

To support the Mode changes: [i] each Task is required to have a ‘deinit’ function; [ii] the scheduler is adapted in order to support the use of such functions.

In this version of TTRD2-08d, three ‘Normal’ Modes are supported. In each Mode a different LED flashes (Red, Amber or Green). Transitions between Modes occur every 10 seconds or when the user button (BTN) on the DEB-0405 board is pressed.

This code can be loaded onto either (or both) MCUs on the DEB-0405.

The manual Mode changes in this example can be compared to the reset-based Mode changes that are implemented in TTRD2-08a.

Please see ‘ERES2‘ Chapter 8 for further information.

empty_space

empty_space

TTRD2-08e [STM32F405 target (DuplicaTTor board), Keil uVision project]

empty_space
Latest version is ttrd2-08e-t0405a-v001a (zip file) [Release 2017-08-25a].

This version of TTRD2-08e targets an STM32F405 MCU. It is intended for use with a DuplicaTTor board.

TTRD2-08e illustrates the use of Sub-Modes.

See ‘ERES2‘ Chapter 8 for details.

empty_space

empty_space

TTRD2-09a [STM32H755 target (Nucleo board), Keil uVision project]

empty_spaceLatest version is ttrd2-09a-t0755a-v001a (zip file) [Release 2023-07-20a].

This version of TTRD2-09a targets an STM32H755 MCU. It is intended for use with two STM32H755 Nucleo boards.

TTRD2-09a illustrates the use of Shared-Clock schedulers; the schedulers on the two MCU are synchronised by means of ‘Tick’ messages sent on the CAN bus.  Further information (and a full-sized version of the hardware schematic) is included in the Zip file.

See ‘ERES2‘ Chapter 9 for details. 


empty_space

empty_space

TTRD2-16a

empty_space
This example is now incorporated in TTRD2-19a.
empty_space

empty_space

TTRD2-17a

empty_space
This example is now incorporated in TTRD2-22a.
empty_space

empty_space

TTRD2-18a

empty_space
This example is now incorporated in TTRD2-19a.
empty_space

empty_space

TTRD2-19a [STM32F401 target, Keil uVision project]

empty_space
Latest version is ttrd2-19a-t0401a-v001c (zip file) [Release 2017-08-17a].

This TTRD targets an STM32F401RE MCU. It is designed to run on a Nucleo-F401RE board. An external 16 MHz xtal is assumed to be present.

TTRD2-19a implements a complete ‘CorrelaTTor-A’ platform. This includes a TTC scheduler plus iWDT, MoniTTor and PredicTTor mechanisms.

Please note that TTRD2-19a uses task timing data that were created using TTRD2-a07a (see below).

Please note that TTRD2-19a also uses task-sequence data that were created using TTRD2-a08a (see below).

Optionally, TTRD2-19a performs system resets every few seconds. The reset process involves repeating all of the core ‘Power On Self Tests (POSTs). Before performing the reset, part of the Processor state is stored: the state is recovered after the tests and the system continues.

Please see ‘ERES2’ Chapter 19 and Appendix 3 for further information about this TTRD.

empty_space

empty_space

empty_space

TTRD2-20a

empty_space
Further information will be available shortly.
empty_space

empty_space

TTRD2-22a1, TTRD2-22a2 [STM32F405 target (DuplicaTTor board), Keil uVision project]

empty_space
sounder_dreamstime_400
empty_space
In this TTRD, we present a prototype code framework for a sounder unit that is intended to be used as part of an industrial monitoring system (IMS). The unit is to be used to sound an alarm if a fire, gas leak or another potential hazard is detected by the IMS.

Further information will be available shortly.
empty_space

empty_space

TTRD2-23a [STM32F405 target (DuplicaTTor board), Keil uVision project]

empty_space
In this TTRD, we present a prototype code framework for a washing-machine controller.

At heart, a domestic washing machine consists of powerful electric motor enclosed in a metal casing. As a normal part of the device operation, the electric motor is used to rotate a heavy metal drum at high speed. Access to this potentially-dangerous mechanism is controlled by a door with an electronic locking mechanism.

The device is used in a domestic environment. There is a risk of injury if access is obtained to the drum while it is rotating. Such injuries could potentially be severe (including loss of a limb), or even life-threatening, particularly for a small child.

The device is connected to a pressurised water supply. The drum is filled with water as a normal part of its operation. There is a risk of flooding if the door is opened at the wrong time: we will assume that this is a ‘nuisance issue’ (rather than a safety issue). However, a combination of water and an electrical supply must always be treated with caution.

As a consequence of the potential risks that arise from such products, controllers for a washing machine must comply with international safety standards IEC 60730 / IEC 60335 (at ‘Class B’).

In the prototype design, a key focus is on the monitoring and control of the door lock.

empty_space

empty_space

Further information will be available shortly.
empty_space

empty_space

TTRD2-23a [LPC1769 target, Keil uVision project]

empty_space
Further information will be available shortly.
empty_space

empty_space

TTRD2-25a [S32K target, Keil uVision project]

empty_space
Latest version is ttrd2-25a-t0032a-v001a (zip file) [Release 2018-06-11a].

This version of TTRD2-25a targets an NXP S32K144 MCU. It is intended for use with the S32K144 EVB board.

TTRD2-25a is designed to illustrate how we can support ‘ASIL decomposition’ (in compliance with international safety standard ISO 26262) using a TT architecture. Such an approach was followed in the ‘winning design’ in the case study in ‘ERES2‘, Chapter 25.

This example is documented more fully in a related case study.

empty_space

empty_space

This version of TTRD2-25 targets an NXP® S32K144 processor (and the S32K144 Evaluation Board).

TTRD2-25a includes the following components:

  • a TTC (Task) scheduler [‘ASIL B’ in the production code];
  • two sensor-processing tasks [‘ASIL A’ in the production code];
  • a sensor-fusion task [‘ASIL B’ in the production code];

In the production code, the sensor-processing tasks – which are the core ‘decomposed’ components in this simplified example – would be implemented as ‘Diverse Tasks’: see ‘ERES2‘, Chapter 6.

In TTRD2-25a, the ‘sensor-processing’ involves reading two inputs (SW2 and SW7 on the S32K144 EVB). One task uses a conventional switch and the other uses a capacitive touch sensor (to illustrate the requirements for design and implementation diversity)

The ‘sensor fusion’ task then performs some sanity checks on the outputs from the two two sensor tasks and – if it is happy – it changes the state of an LED.

Overall – while the example is very simple – the software architecture is appropriate for use in an ‘ASIL B’ design.

empty_space

empty_space

empty_space

TTRD2-a07a [STM32F401 target, Keil uVision project]

empty_space
Latest version is ttrd2-a07a-t0401a-v001a (zip file) [Release 2017-03-06a].

This TTRD targets an STM32F401RE MCU. It is designed to run on a Nucleo-F401RE board. An external 16 MHz xtal is assumed to be present.

Please see ‘ERES2‘ Appx 07a and Chapter 19 for further information.

TTRD2-a07a is a key example for many TT development teams. This TTRD implements an ‘instrumented’ scheduler (based on TTRD2-19a in this example, but it can be adapted to any design). The example supports measurement of task execution-time (‘WCET’ and ‘BCET’) as well as measurements of ‘tick jitter’.

empty_space

empty_space

TTRD2-a08a [STM32F401 target, Keil uVision project]

empty_space
Latest version is ttrd2-a08a-t0401a-v001a (zip file) [Release 2017-03-06a].

This TTRD targets an STM32F401RE MCU. It is designed to run on a Nucleo-F401RE board. An external 16 MHz xtal is assumed to be present.

Please see ‘ERES2‘ Appendix 8 for further information.

TTRD2-a08a is another key example for TT development teams. This TTRD implements a ‘Dry Scheduler’: this type of project is used to generate ‘Tick Lists’. For example, the configuration presented here can be used to generate the Tick List that is employed by the PredicTTor mechanism in TTRD2-19a.

empty_space

empty_space

TTRD2-a09x [LPC1769 target, Keil uVision project]

empty_space
Further information will be available shortly.
empty_space

empty_space

TTRD2-a10x [LPC1769 target, Keil uVision project]

empty_space
Further information will be available shortly.
empty_space

empty_space

Are the TTRDs from ‘ERES1’ still available?

empty_space
You can download the latest (and final) TTRDs from ‘ERES1’ here (zipped file).
empty_space