Developing embedded systems for safety-critical markets is not easy. Over the past decade, detecting and handling the errors arising from increasingly unreliable hardware and increasingly complex, multi-threaded software has made this even more difficult. This paper describes a software architecture that separates various aspects of the system design, providing increased and tuneable immunity to random software and hardware errors.