Achieving compliance with international safety standards using TT systems
Use of TT systems can help organisations to develop products in compliance with international safety standards.
As examples, the following standards are considered on this page:
- IEC 61508 (Industrial / Generic)
- ISO 26262 (Automotive)
- IEC 62304 (Medical)
- ISO 13849 (Machinery)
- IEC 60335 / IEC 60730 (Household Goods)
- DO-178C (Civil Aerospace)
You may find it useful to refer to our Technology page before reading this page.[This page was last updated: 2017-10-17]
Recommended platforms for TT embedded systems
There are a large number of possible implementation options for TT systems: we find it useful to view these as a range of different “platforms”: the links between some of these platforms and some key international safety standards is summarised in the table below.
For example, the figure below gives an overview of a CorrelaTTor® platform.
Further information about different TT platforms that we find to be particularly effective when developing systems in compliance with international safety standards is provided in the ‘ERES2’ book.
Industrial / Generic Standard: IEC 61508 (2010)
International safety standard IEC 61508 is concerned with functional safety, achieved by means of systems that are primarily implemented in electrical and/or electronic and/or programmable electronic technologies (for example, using microcontrollers and appropriate software).
These are examples of the type of system that might be developed in compliance with IEC 61508:
- emergency shut-down system in a hazardous chemical process plant;
- crane safe load indicator;
- railway signalling system;
- guard interlocking and emergency stopping systems for machinery;
- variable speed motor drive used to restrict speed as a means of protection;
- system for interlocking and controlling the exposure dose of a medical radiotherapy machine;
- dynamic positioning (control of a ship’s movement when in proximity to an offshore installation);
- fly-by-wire operation of aircraft flight control surfaces;
- automobile indicator lights, anti-lock braking and engine-management systems;
- remote monitoring, operation or programming of a network-enabled process plant;
- an information-based decision support tool where erroneous results affect safety.
IEC 61508 and TT architectures
TT architectures are “Highly Recommended” for systems of Safety Integrity Level (SIL) 2 or above. [IEC 61508-3 (2010), Table A.2]
Use of a TT architecture “Greatly reduces the effort required for testing and certifying the system” [IEC 61508-3 (2010), Table C.1]
Static synchronisation of access to shared resources – a key characteristic of all TT designs — is “Recommended” (SIL3) / “Highly Recommended” (SIL4) [IEC 61508-3 (2010), Table A.2]
Limited use of interrupts – a defining characteristic of TT designs – is “Recommended” for SIL1 and SIL2 systems and “Highly Recommended” for SIL3 and SIL4 systems. [IEC 61508-3 (2010), Table B.1]
TT architectures also provide a highly-effective platform for designs that employ “SIL decomposition”: see IEC 61508-2, Clause 7.4.3.
An example of a TT (‘SIL 2’) design for use in an industrial monitoring system is shown in the figure below.
You will find further information in the related design example.
Automotive Standard: ISO 26262 (2011-2012)
ISO 26262 is the adaptation of IEC 61508 to comply with needs specific to the application sector of electrical and/or electronic (E/E) systems within road vehicles. This adaptation applies to all activities during the safety lifecycle of safety-related systems comprised of electrical, electronic and software components.
Safety is one of the key issues of future automobile development. New functionalities not only in areas such as driver assistance, propulsion, in vehicle dynamics control and active and passive safety systems increasingly touch the domain of system safety engineering. Development and integration of these functionalities will strengthen the need for safe system development processes and the need to provide evidence that all reasonable system safety objectives are satisfied.
ISO 26262 and TT architectures
With respect to timing constraints, the effects of faults such as those listed below can be considered for the software elements executed in each software partition:
- blocking of execution;
- incorrect allocation of execution time;
- incorrect synchronization between software elements.
To deal with these problems] mechanisms such as … time-triggered scheduling, monitoring of processor execution time, program sequence monitoring … can be considered.[ISO 26262-6 (2011) – Annex D]
TT architectures also provide a highly-effective platform for designs that employ ‘ASIL decomposition’: see ISO 26262-9, Clause 5.
Use of ASIL decomposition is illustrated in the following design:
Further information can be found in the related design example.
Medical Standard: IEC 62304 (2006) / Amendment 1 (2015)
IEC 62304 is concerned with the development of software for use in medical devices.
The standard notes that software is often an integral part of medical-device technology. It further notes that the effectiveness of a medical device that contains software requires: [i] knowledge of what the software is intended to do, and [ii] demonstration that the software will fulfill such intentions without causing unacceptable risks.
IEC 62304 requires that the manufacturer of the device assigns a safety class (Class A, Class B or Class C) to each software system.
The classes are assigned based on the impact that (failure of) the system may have:
- Class A: No injury or damage to health is possible
- Class B: Non-serious injury is possible
- Class C: Death or serious injury is possible
IEC 62304 and TT architectures
IEC 62304 is intended to be used together with other appropriate standards when developing a medical device. [IEC 62304 (2006), Section C.1]
In particular, readers of IEC 62304 are encouraged to use IEC 61508 as a source for good software methods, techniques and tools. [IEC 62304 (2006), Section C.7]
Many of the comments above about the use of TT architectures to achieve compliance with IEC 61508 also apply with IEC 62304 designs.
At a design level, IEC 62304 has a focus on the use of appropriate risk-control measures.
In our experience, the ‘TT Platforms’ presented in ‘ERES2‘ provide a very effective way of implementing such measures.
As an example, the TT design illustrated in the figure below shows part of the control system for a ‘Linear Accelerator’ unit used in a radiotherapy unit.
This example is adapted from a case study in ‘ERES2‘.
Such a system design could be explored using two DuplicaTTor Evaluation Boards.
Machinery Standard: ISO 13849-1 (2015)
ISO 13849 applies to the development of control systems for a very wide range of machinery.
More specifically, ISO 13849-1 provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems (SRP/CS), including the design of software.
ISO 13849-1 provides specific requirements for SRP/CS using programmable electronic system(s).
ISO 13849-1 includes a set of 5 ‘designated architectures’ (DAs): using one of these DAs may help to make it easier to demonstrate compliance with the standard. As an example, the figure below represents a Category 4 designated architecture.
ISO 13849-1 and TT architectures
In our experience, the ‘TT Platforms’ presented in ‘ERES2‘ provide an effective way of meeting the requirements for the various DAs in ISO 13849-1: please see the table below.
The figure below illustrates an outline design for an ‘Operator in Place’ system that is used to control a piece of machinery. This design implements a ‘Category 4’ designated architecture.
This design employs two low-cost cameras and a ‘DuplicaTTor-B’ platform to ensure that the machine can only move if there is an alert operator in the cab.
Such a system design could be explored using a DuplicaTTor Evaluation Board.
In addition to supporting the implementation of ‘designated architectures’, use of TT architectures can also simplify the process of meeting other key requirements in the ISO 13849 standard, such as those for “response-time” [ISO 13849-1 (2015), Section 5.2.6]
‘Household Goods’ Standards: IEC 60335 (2010) / IEC 60730 (2013)
[IEC 60335-1:2010+A1:2013] deals with the safety of electrical appliances for household and similar purposes, their rated voltage being not more than 250V for single-phase appliances and 480V for other appliances. … Appliances not intended for normal household use but which nevertheless may be a source of danger to the public, such as appliances intended to be used by laymen in shops, in light industry and on farms, are within the scope of this standard.
In general, [IEC 60730-1: 2013] applies to automatic electrical controls for use in, on, or in association with equipment for household and similar use. The equipment may use electricity, gas, oil, solid fuel, solar thermal energy, etc., or a combination thereof.
This International Standard is applicable to controls for building automation within the scope of ISO 16484.
This standard also applies to automatic electrical controls for equipm ent that may be used by the public, such as equipment intended to be used in shops, offices, hospitals, farms and commercial and industrial applications. …
This standard is also applicable to individual controls utilized as part of a control system or controls which are mechanically integral with multifunctional controls having non – electrical outputs.
IEC 60335, IEC 60730 and TT architectures
IEC 60730 and IEC 60335 are closely related (and compliance with both standards is usually required).
When developing embedded systems in compliance with IEC 60335-1, a key challenge is presented by Clause 19. This clause requires that electronic circuits must be designed and applied in such a way that a fault condition will not render the appliance unsafe with regard to electric shock, fire hazard, mechanical hazard or dangerous malfunction.
The effort required to demonstrate compliance with this core clause (and the standard as a whole) depends on the class of equipment being developed: the options are Class A, Class B or Class C. These are defined in IEC 60730:
- Class A control functions are not intended to be relied upon for the safety of the application (IEC 60730, H.2.22.1).
- Class B control functions are intended to prevent an appliance from entering an unsafe state; however, failure of the control function will not lead directly to a hazardous situation (IEC 60730, H.2.22.2).
- Class C control functions are intended to prevent special hazards such as explosion; failure of such functions could directly cause a hazard in the appliance (IEC 60730, H.2.22.3).
Class B designs are often implemented using small microcontroller-based systems. One of the permitted architectures for a Class B control system is a single-channel (that is, single MCU) design with periodic self-test (IEC 60730, H.2.16.6).
In addition, compliance with IEC 60335 requires limited use of interrupts (IEC 60335, R.18.104.22.168).
Class C designs will generally require more than one microcontroller.
Using a TT architecture can provide a highly-effective way of meeting Class B and Class C requirements.
For example, ‘ERES2‘ includes the design for a washing-machine controller (Class B).
TT systems and DO-178C (2012)
The rapid increase in the use of software in airborne systems and equipment used on aircraft and engines in the early 1980s resulted in a need for industry-accepted guidance for satisfying airworthiness requirements. DO-178 / ED-12, “Software Considerations in Airborne Systems and Equipment Certification”, was written to satisfy this need.
This document, now revised in the light of experience, provides the aviation community with guidance for determining, in a consistent manner and with an acceptable level of confidence, that the software aspects of airborne systems and equipment comply with airworthiness requirements. As software use increases, technology evolves, and experience is gained in the application of this document, this document will be reviewed and revised.
DO-178c and TT architectures
DO-178c does not make recommendations about the use of specific software or system architectures (it is up to the system developer to justify their chosen approach). Our experience is that use of TT (as opposed to “event triggered” architectures) can greatly simplify the process of meeting DO-178 requirements.
For example, DO-178c requires creation of a Design Description (DO-178c, Section 11.10).
Among other components, the Design Description should include the following:
- The description of the software architecture defining the software structure to implement the requirements.
- Resource limitations, the strategy for managing each resource and its limitations, the margins, and the method for measuring those margins, for example, timing and memory.
- Scheduling procedures and inter-processor/inter-task communication mechanisms, including time-rigid sequencing, preemptive scheduling, Ada rendezvous, and interrupts.
- Rationale for those design decisions that are traceable to safety-related system requirements.
In all of these cases, justifying design decisions is straightforward when a TT architecture is employed.
Learn more in ‘ERES2’
The Second Edition of ‘The Engineering of Reliable Embedded Systems’ (ERES2), documents an industry-proven approach to the development of software for reliable, real-time embedded systems, based on the use of ‘Time Triggered’ (TT) architectures.
What distinguishes TT approaches is that it is possible to model the expected system behaviour precisely. This means that: [i] during the development process, we can demonstrate that all of the requirements have been met; and [ii] at run time, we can detect problems very quickly.
The end result is that we can have a high level of confidence that a TT system will either: [i] operate precisely as required; or [ii] move into an appropriate state if a problem occurs.
The above characteristics mean that appropriately-implemented TT systems provide a particularly effective means of meeting the requirements of various international safety standards.
In order to illustrate how the TT techniques presented in ERES2 can be employed in practical designs, five detailed case studies are included. These studies describe the development of embedded control and monitoring systems for the following products:
- an industrial alarm sounder unit (IEC 61508, SIL 2);
- a domestic washing machine (IEC 60730, Class B);
- a hospital radiotherapy machine (IEC 62304, Class C);
- a steering-column lock for a passenger car (ISO 26262, ASIL D);
- an aircraft jet engine (DO-178C, Level A).