Deterministic, bit-perfect ML training for safety-critical systems.
Pure C99. Zero dynamic allocation. Certifiable for DO-178C, IEC 62304, and ISO 26262.
🔴 Live Demo: training.speytech.com
Training machine learning models is inherently non-deterministic:
- Floating-point operations vary across platforms
- Parallel reductions produce different results each run
- Stochastic gradient descent introduces randomness
- Data shuffling depends on random number generators
For safety-critical systems, you cannot certify what you cannot reproduce.
Read more: Why Floating Point Is Dangerous
certifiable-training defines training as a deterministic state evolution:
Q16.16 weights, Q8.24 gradients, Q32.32 accumulators. Same math, same result, every platform.
Fixed tree topology with Neumaier compensated summation. Parallel execution, deterministic result.
Counter-based PRNG: PRNG(seed, op_id, step) → deterministic bits. Same seed = same sequence.
Every training step cryptographically committed. Any step verifiable in O(1) time.
Result: θ_T = T^(T)(θ_0, D, seed) — Training is a pure function.
All core modules complete — 10/10 test suites passing.
| Module | Description | Status |
|---|---|---|
| DVM Primitives | Fixed-point arithmetic with fault detection | ✅ |
| Counter-based PRNG | Deterministic pseudo-random generation | ✅ |
| Compensated Summation | Neumaier algorithm for precision | ✅ |
| Reduction Tree | Fixed-topology parallel reduction | ✅ |
| Forward Pass | Q16.16 activations (ReLU, sigmoid, tanh) | ✅ |
| Backward Pass | Q8.24 gradient computation | ✅ |
| Optimizers | SGD, Momentum, Adam | ✅ |
| Merkle Chain | SHA256 audit trail with checkpoints | ✅ |
| Data Permutation | Cycle-Walking Feistel bijection | ✅ |
| Bit Identity | Cross-platform reproducibility tests | ✅ |
All project tasks are available as Makefile targets, and GitHub Actions CI uses
these to ensure that they are not stale. Documentation of the commands are
available via make help.
When building the project for the first time, run make deps.
To building everything (i.e. config, build, test), run make. Otherwise, use
individual Makefile targets as desired.
$ make help
Makefile Usage:
make <target>
Dependencies
deps Install project dependencies
Development
config Configure the build
build Build the project
Testing
test Run tests
Project Management
install Install the project
release Build release artifacts
Maintenance
clean Remove all build artifacts
Documentation
help Display this help100% tests passed, 0 tests failed out of 10
Total Test time (real) = 0.04 sec
#include "ct_types.h"
#include "dvm.h"
#include "forward.h"
#include "backward.h"
#include "optimizer.h"
#include "merkle.h"
#include "permutation.h"
// All buffers pre-allocated (no malloc)
fixed_t weights[784 * 128];
grad_t gradients[784 * 128];
ct_fault_flags_t faults = {0};
// Initialize Merkle chain
ct_merkle_ctx_t merkle;
ct_merkle_init(&merkle, &weights_tensor, config, config_size, seed);
// Get batch via deterministic permutation
ct_batch_ctx_t batch;
ct_batch_init(&batch, seed, epoch, dataset_size, batch_size);
ct_batch_get_indices(&batch, step, indices, &faults);
// Forward pass
ct_forward_linear(&layer, input, output, &faults);
ct_forward_relu(output, activated, size, &faults);
// Backward pass
ct_backward_relu(grad_out, activated, grad_in, size, &faults);
ct_backward_linear(&layer, grad_in, &faults);
// Optimizer step
ct_sgd_step(&sgd, weights, gradients, size, &faults);
// Commit to Merkle chain
ct_merkle_step(&merkle, &weights_tensor, indices, batch_size, &step_record, &faults);
if (ct_has_fault(&faults)) {
// Chain invalidated - do not proceed
}All arithmetic operations use widening and saturation:
// CORRECT: Explicit widening
int64_t wide = (int64_t)a + (int64_t)b;
return dvm_clamp32(wide, &faults);
// FORBIDDEN: Raw overflow
return a + b; // Undefined behavior| Format | Use Case | Range | Precision |
|---|---|---|---|
| Q16.16 | Weights, activations | ±32768 | 1.5×10⁻⁵ |
| Q8.24 | Gradients | ±128 | 5.9×10⁻⁸ |
| Q32.32 | Accumulators | ±2³¹ | 2.3×10⁻¹⁰ |
Every operation signals faults without silent failure:
typedef struct {
uint32_t overflow : 1; // Saturated high
uint32_t underflow : 1; // Saturated low
uint32_t div_zero : 1; // Division by zero
uint32_t domain : 1; // Invalid input
uint32_t precision : 1; // Precision loss detected
} ct_fault_flags_t;Every training step produces a cryptographic commitment:
h_t = SHA256(h_{t-1} || H(θ_t) || H(B_t) || t)
Any step can be independently verified. If faults occur, the chain is invalidated.
Cycle-Walking Feistel provides true bijection for any dataset size N:
π: [0, N-1] → [0, N-1] (one-to-one and onto)
Same seed + epoch = same shuffle, every time, every platform.
- CT-MATH-001.md — Mathematical foundations
- CT-STRUCT-001.md — Data structure specifications
- docs/requirements/ — SRS documents with full traceability
| Project | Description |
|---|---|
| certifiable-data | Deterministic data pipeline |
| certifiable-training | Deterministic training engine |
| certifiable-quant | Deterministic quantization |
| certifiable-deploy | Deterministic model packaging |
| certifiable-inference | Deterministic inference engine |
Together, these projects provide a complete deterministic ML pipeline for safety-critical systems:
certifiable-data → certifiable-training → certifiable-quant → certifiable-deploy → certifiable-inference
IEC 62304 Class C requires traceable, reproducible software. Non-deterministic training cannot be validated.
ISO 26262 ASIL-D demands provable behavior. Training must be auditable.
DO-178C Level A requires complete requirements traceability. "We trained it and it works" is not certifiable.
This is the first ML training system designed from the ground up for safety-critical certification.
This implementation is designed to support certification under:
- DO-178C (Aerospace software)
- IEC 62304 (Medical device software)
- ISO 26262 (Automotive functional safety)
- IEC 61508 (Industrial safety systems)
For compliance packages and certification assistance, contact below.
Want to understand the engineering principles behind certifiable-training?
Determinism & Reproducibility:
- Bit-Perfect Reproducibility: Why It Matters and How to Prove It
- The ML Non-Determinism Problem
- From Proofs to Code: Mathematical Transcription in C
Audit & Verification:
Safety-Critical Foundations:
- The Real Cost of Dynamic Memory in Safety-Critical Systems
- Closure, Totality, and the Algebra of Safe Systems
Production ML Architecture:
We welcome contributions from systems engineers working in safety-critical domains. See CONTRIBUTING.md.
Important: All contributors must sign a Contributor License Agreement.
Dual Licensed:
- Open Source: GNU General Public License v3.0 (GPLv3)
- Commercial: Available for proprietary use in safety-critical systems
For commercial licensing and compliance documentation packages, contact below.
This implementation is built on the Murray Deterministic Computing Platform (MDCP), protected by UK Patent GB2521625.0.
MDCP defines a deterministic computing architecture for safety-critical systems, providing:
- Provable execution bounds
- Resource-deterministic operation
- Certification-ready patterns
- Platform-independent behavior
For commercial licensing inquiries: william@fstopify.com
Built by SpeyTech in the Scottish Highlands.
30 years of UNIX infrastructure experience applied to deterministic computing for safety-critical systems.
Patent: UK GB2521625.0 - Murray Deterministic Computing Platform (MDCP)
Contact:
William Murray
william@fstopify.com
speytech.com
Building deterministic AI systems for when lives depend on the answer.
Copyright © 2026 The Murray Family Innovation Trust. All rights reserved.