Do you need to create safe and reliable embedded systems?


Our SafeTTy Solutions™ Packages are designed to help your development team produce a safety-related embedded system quickly and cost-effectively, in compliance with one or more international safety standards (IEC 61508, ISO 26262, DO-178C, IEC 62304, IEC 60730 …).

SafeTTy Solutions Packages are based on TT designs and include carefully-selected combinations of our various products and services.

SafeTTy Solutions Packages include an appropriate ReliabiliTTy® licence.

We provide further information about SafeTTy Solutions Packages on this page.

[This page was last updated: 2018-03-09]

empty_space


empty_space

Video introduction to SafeTTy Solutions Packages

youtube_logo_100

This 25-minute video explains how a SafeTTy Solutions Package can be used to support the rapid and cost-effective development of safety-related embedded systems in a wide range of market sectors. A copy of the presentation slides can be downloaded (PDF file).

The video provides an overview of contents of a typical SafeTTy Solutions Package (SSP). It goes on to explain the central role that a customised TT software framework plays in such a package. Potential hardware targets that can be employed with an SSP are considered. The flexible training and consultancy support elements of the package are then described. Two package examples are then considered (with representative costings).

empty_space

empty_space


empty_space

What’s included in a SafeTTy Solutions Package?

empty_space

Your TT software framework

We provide a fully-customised TT software framework (with source code) to the majority of ReliabiliTTy licensees as part of their SafeTTy Solutions package.

  • Our customers develop their application software by building on this framework, supported by training and / or consultancy services from our team.
  • This combination of code framework and highly-experienced support can significantly reduce the development effort (and time) required to create a reliable TT design – and achieve compliance with international safety standards.
  • In addition to providing a foundation for reliable embedded systems, our code frameworks support code-coverage analysis, execution-time measurement and determination of maximum (not average) CPU loading for your system. These benefits are achieved ‘out of the box’ (without the need to purchase any other support tools from SafeTTy Systems or from third-party organisations).

The end result is that many of our customers require only a SafeTTy Solutions package and a suitable compiler in order to complete the software development for their safety-related embedded system.

Please contact us for further details.

ReliabiliTTy® Technology Licence

All SafeTTy Solutions Packages include a ReliabiliTTy® Technology Licence (RTL).

RTLs allow use of the technology and ‘Time-Triggered Reference Designs‘ (TTRDs) described in the ‘ERES2‘ book (including all technology patented by SafeTTy Systems Ltd) in sectors ranging from aerospace, automotive, medical and industrial systems through to household goods.

Learn more about RTL categories …

Consultancy and training

If your team has not previously built a TT design, we recommend that they start the project with a brief period of training (2-4 days).

After this, we can provide support – as required – to ensure that the project progresses smoothly.

Support for product certification

In some cases, our customers need to have their products ‘certified’ by TÜV or other organisations.

We can support this process, if required.

empty_space


empty_space

Example SafeTTy Solutions™ Package (SSP-RTL2)

empty_space
A typical 6-month ‘SSP-RTL2 package‘ will include:

  • a TT code framework, fully customised to match the needs of your project;
  • a full (permanent, royalty-free) ReliabliliTTy® licence (Product Licence, RTL2);
  • on-site delivery of our TTb+ course (over 4 days, for up to six people) in Month 1;
  • 10 days of consultancy support for your project (delivered from Month 2 to Month 6);
  • six copies of the ‘ERES2‘ book.

This package is intended to meet the needs of organisations that are developing products in compliance with IEC 61508 (‘SIL 2’), ISO 26262 (‘ASIL B’) and related standards.

Our typical (total) fee for the above RTL2 package is £50,000* (price quoted is in UK Pounds).

If required, we can extend the consultancy support for a further 6 months (two days per month) for a further £12,000*.

We offer this package on a world-wide basis.

*There may be an additional charge to cover travel / accommodation (depending on your location): any such charges will (of course) be discussed with you and included in your formal quotation. Fees and charges may be subject to VAT, depending on your location.

empty_space


empty_space

Example SafeTTy Solutions™ Package (SSP-RTL4)

empty_space
A typical 6-month ‘SSP-RTL4 package’ will include:

  • a TT code framework, fully customised to match the needs of your project;
  • a full (permanent, royalty-free) ReliabliliTTy® licence (Product Licence, RTL4);
  • on-site delivery of our TTb+ course (over 4 days, for up to six people) in Month 1;
  • 10 days of consultancy support for your project (delivered from Month 2 to Month 6);
  • six copies of the ‘ERES2‘ book.

This package is intended to meet the needs of organisations that are developing products in compliance with IEC 61508 (‘SIL 3’), ISO 26262 (‘ASIL D’) and related standards.

Our typical (total) fee for the above SS-RTL4 package is £70,000* (price quoted is in UK Pounds).

If required, we can extend the consultancy support for a further 6 months (two days per month) for a further £12,000*.

We offer this package on a world-wide basis.

*There may be an additional charge to cover travel / accommodation (depending on your location): any such charges will (of course) be discussed with you and included in your formal quotation. Fees and charges may be subject to VAT, depending on your location.

empty_space


empty_space

Fully customised packages

empty_space
We can provide fully customised SafeTTy Solution packages on request (to match your precise requirements).

Please contact us for further details.

empty_space


empty_space

What kind of system can be developed using a SafeTTy Solutions Package?

empty_space

We have created some short examples to illustrate the types of projects that we have supported:

These are simply examples of the type of project that we can support. Please contact us to discuss your specific requirements.

empty_space


empty_space

Example: Monitoring a controller for an autonomous vehicle (ISO 26262, ‘ASIL D’)

empty_space
In this example, we assume that a controller for an ‘autonomous road vehicle’ (or driverless passenger car) has been developed.

We further assume: [i] that the ARV controller was developed carefully, but the work was not conducted in compliance with ISO 26262 (the relevant international safety standard); and [ii] the ARV controller cannot be assigned an ‘ASIL’ rating: it is considered to be ‘QM’.

In order to improve confidence in the safety and reliability of the ARV, we will add a ‘TT Wrapper’ to this design. In combination, the ARV controller (‘QM’) and the TT Wrapper (‘ASIL D’) will allow us to achieve ‘ASIL D’ requirements.

empty_space

empty_space

Further information

Learn more about this example …

SafeTTy Solutions Package

This design could be implemented using: SSP-RTL4.

empty_space


empty_space

Example: ‘Steering-Column Lock Controller’ for a high-volume passenger car (ISO 26262, ‘ASIL D’)

empty_space

In this example we consider the development of a Steering-Column Lock Controller (SCLC) that is to be used in a high-volume passenger car.

The SCLC is intended to secure the vehicle when it is not in use. It is required to operate as follows. To secure the vehicle, a locking bolt is inserted into the steering column: when the vehicle is being used, the bolt must be fully removed.

In our design, the locking bolt is to be positioned by means of a reversible DC motor. Turning the motor in one direction locks the steering column; turning the motor in the other direction unlocks the column.

The motor is to be controlled by means of an ‘H Bridge’ arrangement.

There are various possible design options for this system: one possible design is illustrated in the figure below. This is based on a ‘DecomposiTTor’ software platform.

empty_space

empty_space

Further information

Learn more about this example …

SafeTTy Solutions Package

The designs discussed in this section could be implemented using: SSP-RTL4.

empty_space


empty_space

Example: Dealing with ‘SOUP’ in a Medical Infusion Pump (IEC 62304, ‘Class C’)

empty_space
This example is concerned with the development of software for the controller that is to be used in a medical infusion pump.

The controller is to be developed in compliance with IEC 62304.

IEC 62304 defines a software item that has already been developed, is generally available and that was not developed for the purpose of being incorporated into a medical device as ‘SOUP’ (Software Of Unknown Provenance).

We assume that our medical infusion pump will involve use of such SOUP.

The figure below illustrates use of a TT Wrapper (implemented using a CorrelaTTor-B software platform) as a means of dealing with the SOUP.

empty_space

empty_space

Further information

Learn more about this example …

SafeTTy Solutions Package

This design could be implemented using: SSP-RTL4.

empty_space


empty_space

Example: Industrial Monitoring System (IEC 61508, ‘SIL 2’)

empty_space
In this example, we consider a sounder unit for use as part of an industrial monitoring system (IMS).

The sounder unit is to be used to sound an alarm if a fire, gas leak or another potential hazard is detected by the IMS.

The sounder unit is to be implemented in compliance with IEC 61508 (at ‘SIL 2’).

The figure below shows a schematic representation of a CorrelaTTor-B software platform that could be used to implement the sounder.

empty_space

empty_space

Further information

Learn more about this example …

SafeTTy Solutions Package

This design could be implemented using: SSP-RTL2.

empty_space


empty_space

Example: Controller for Industrial Robot (IEC 61508, ‘SIL 3’)

empty_space
In this example, we are concerned with the design of part of a control system for an industrial robot.

The controller is to be implemented in compliance with IEC 61508 (at ‘SIL 3’).

‘Hardware Fault Tolerance’ (HFT) is a key consideration in many IEC 61508 designs at ‘SIL 3’.

When HFT = 0, this means that there is only a single processing path available. If this path fails, it may be challenging to: [i] detect this failure; and [ii] ensure that the system can enter an appropriate ‘Fail-Safe State’.

When HFT = 1, this means that there is a second (independent) processing path available: if one processing path fails, the second processing path is intended to be able to both detect this failure and act appropriately (typically by forcing the system into an appropriate Fail-Safe State).

In order to achieve compliance with IEC 61508 at ‘SIL 3’ level, our design incorporates two microcontrollers and implements a DuplicaTTor-B software platform.

empty_space

empty_space

Further information

Learn more about this example …

SafeTTy Solutions Package

This design could be implemented using: SSP-RTL4.

empty_space


empty_space

Example: Determining that a machinery-operator is ‘in place’ (ISO 13849, ‘PL e’)

empty_space
In this example, the aim is to ensure that the operator of a piece of equipment is alert: if (for example) the operator falls asleep, becomes ill or leaves his or her position for some other reason, the equipment that the operator is responsible for must be shut down safely.

This ‘Operator in Place’ (OiP) controller is to be developed in compliance with ISO 13849.

ISO 13849 applies to the development of control systems for a very wide range of machinery.

More specifically, ISO 13849-1 provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems (SRP/CS), including the design of software.

ISO 13849-1 provides specific requirements for SRP/CS using programmable electronic system(s).

ISO 13849-1 includes a set of 5 ‘designated architectures’ (DAs): using one of these DAs may help to make it easier to demonstrate compliance with the standard. As an example, the figure below represents a Category 4 designated architecture.

empty_space

empty_space

The figure below illustrates an outline design for an OiP system that is intended to meet both ISO 13849 (Category 4 / PL e) and IEC 61508 (‘SIL 3’) requirements.

empty_space

empty_space

Further information

Learn more about this example …

SafeTTy Solutions Package

This design could be implemented using: SSP-RTL4.

empty_space


empty_space

Example: Controller for a domestic washing machine (IEC 60730 / IEC 60335, ‘Class B’)

empty_space
At heart, a domestic washing machine consists of powerful electric motor enclosed in a metal casing. As a normal part of the device operation, the electric motor is used to rotate a heavy metal drum at high speed. Access to this potentially-dangerous mechanism is controlled by a door with an electronic locking mechanism.

The device is used in a domestic environment. There is a risk of injury if access is obtained to the drum while it is rotating. Such injuries could potentially be severe (including loss of a limb), or even life-threatening, particularly for a small child.

The device is connected to a pressurised water supply. The drum is filled with water as a normal part of its operation. There is a risk of flooding if the door is opened at the wrong time: we will assume that this is a ‘nuisance issue’ (rather than a safety issue). However, a combination of water and an electrical supply must always be treated with caution.

Controllers for such a washing machine must comply with international safety standards IEC 60730 / IEC 60335 (at ‘Class B’).

A suitable software architecture for this design (based on a CorrelaTTor-A platform) is illustrated schematically in the figure below.

empty_space

empty_space

Further information

Learn more about this example …

SafeTTy Solutions Package

The designs discussed in this section could be implemented using: SSP-RTL2.

empty_space


empty_space

Example: Using TT Wrappers in civilian aircraft systems (DO-178C / DO-254)

empty_space

In many cases, control systems for civilian aircraft – developed in compliance with DO-254 / DO-178 (and related) standards – have traditionally been based on customised processors that were designed to meet the challenges that are faced in safety-critical systems that operate at high altitudes. For example, such processors may be prone to higher levels of radiation than ground-based designs and can be designed accordingly.

In more recent designs, ‘Commercial Off The Shelf’ (COTS) processors have become more common in many aircraft designs. In such systems, the possibility that the COTS processor will ‘misbehave’ may be addressed through use of a ‘safety net’, which is defined as the employment of mitigations and protections at the appropriate level of aircraft and system design to help ensure continuous safe flight and landing.

This approach requires the safety net to be designed as a component within the aircraft system.

Use of a TT Wrapper can be an effective way of performing the required monitoring of a complex COTS processor.

empty_space

empty_space

Further information

Learn more about this example …

SafeTTy Solutions Package

The design discussed in this section could be implemented using: SSP-RTL4.

empty_space


empty_space

Example: Developing high-reliability space-based systems

empty_space
The majority of the examples presented on this page involve the development of safety-related and safety-critical embedded systems.

Our technology is also used in other systems (for example, in the space sector, deep-sea monitoring and animal tracking) in which there are no direct safety implications, but the cost of system recovery / repair would be prohibitive.

In the space sector our technology is currently used in ‘payloads’ (rather than – for example – control of the launch vehicle).

In such designs, the benefit obtained through use of a TT architecture is that the behaviour is highly deterministic, and it is therefore possible to detect even very small changes that may indicate an incipient failure. In these circumstances, a controlled reset can be performed.

This makes sense in many space-based systems because – when a discrepancy is detected at run time – the root cause of problems may be a form of transitory, radiation-linked, ‘single event upset’ (SEU): in these circumstances, a carefully-controlled reset (at the correct time) can be expected to address the problem.

The figure below illustrates – schematically – the use of a DuplicaTTor software platform with two microcontrollers (MCUs) in a space-based design that could be used to achieve this goal.

empty_space

empty_space

Further information

Please contact us for further information.

SafeTTy Solutions Package

The designs discussed in this section could be implemented using: SSP-RTL4.

empty_space


empty_space

Can we help you?


If your organisation is having difficulty creating safe and reliable embedded systems in any sector, then we may be able to help – please contact us to arrange an initial 30-minute phone discussion (free of charge and without commitment).

If – at the end of the call – we think we can help (and you wish to continue), we will ask that you consider signing up for a Taster Day.

Taster Days have been designed to: [i] explain how TT architectures can be used to support the engineering of safety-related embedded systems; and – more importantly – [ii] to allow you to determine the level of benefit that use of a TT architecture in your next project may offer for your organisation.

The Taster Day programme is delivered on your company site (anywhere in the world) on a date of your choosing.

If you sign up for a Taster Day and subsequently choose to purchase a SafeTTy Solutions Package, your fee for the Taster Day will be deducted from the SSP fee.

Learn more about Taster Days …

empty_space


empty_space