TT Design Example (IEC 61508, SIL 2)
From our base in the UK Midlands, the team at SafeTTy Systems Ltd provides support for organisations across the world that need to create real-time embedded systems that are reliable, safe and secure.
Our customers include developers of industrial, automotive, marine, medical, aerospace, defence and satellite systems, as well as companies producing high-end consumer goods.
Our products and services are based on the use of ‘Time-Triggered‘ (TT) system architectures.
On this page, we explore the design of part of a fire and gas monitoring system for use in an industrial setting.
This design is to be developed in compliance with IEC 61508 (SIL 2).
We begin by looking briefly at some of the links between TT systems and IEC 61508.[This page was last updated: 2016-12-11]
TT software architectures
You’ll find an introduction to TT software architectures on our Technology page.
TT software architectures and IEC 61508
TT software architectures provide a strong foundation for robust and cost-effective IEC 61508 designs.
For example, TT architectures are “Highly Recommended” for systems of Safety Integrity Level (SIL) 2 or above. [IEC 61508-3 (2010), Table A.2]
Static synchronisation of access to shared resources – a key characteristic of all TT designs — is “Recommended” (SIL3) / “Highly Recommended” (SIL4) [IEC 61508-3 (2010), Table A.2]
Limited use of interrupts – a defining characteristic of TT designs – is “Recommended” for SIL1 and SIL2 systems and “Highly Recommended” for SIL3 and SIL4 systems. [IEC 61508-3 (2010), Table B.1]
Design of a sounder unit for an industrial alarm system: Overview
In this example, we will consider the development of a sounder unit (we’ll simply refer to it as the “Sounder”) for use as part of an industrial monitoring system (IMS). The unit is to be used to sound an alarm if a fire, gas leak or another potential hazard is detected by the IMS.
In this study we are concerned only with the Sounder unit.
There are likely to be a number of Sounder units in each IMS. Each Sounder unit will (we assume) be connected to a dedicated CAN bus.
We assume that the system will be required to have an operational life of 20 years.
We assume that the unit will be replaced (or repaired) within 8 hours of a fault being detected.
In this design, we assume that a CorrelaTTor® platform will be employed (specifically, a CorrelaTTor-B platform).
The architecture of this platform is illustrated below:
The resulting system architecture will then be as illustrated here:
Read the complete case study in ‘ERES2’
The Second Edition of ‘The Engineering of Reliable Embedded Systems’ (ERES2), documents an industry-proven approach to the development of software for reliable, real-time embedded systems, based on the use of ‘Time Triggered’ (TT) architectures.
What distinguishes TT approaches is that it is possible to model the expected system behaviour precisely. This means that: [i] during the development process, we can demonstrate that all of the requirements have been met; and [ii] at run time, we can detect problems very quickly.
The end result is that we can have a high level of confidence that a TT system will either: [i] operate precisely as required; or [ii] move into an appropriate state if a problem occurs.
The above characteristics mean that appropriately-implemented TT systems provide a particularly effective means of meeting the requirements of various international safety standards.
In order to illustrate how the TT techniques presented in ERES2 can be employed in practical designs, five detailed case studies are included. These studies describe the development of embedded control and monitoring systems for the following products:
- an industrial alarm sounder unit (IEC 61508, SIL 2);
- a domestic washing machine (IEC 60730, Class B);
- a hospital radiotherapy machine (IEC 62304, Class C);
- a steering-column lock for a passenger car (ISO 26262, ASIL D);
- an aircraft jet engine (DO-178C, Level A).