manualshive.com logo in svg

ST STM32L4 Series, User Manual, Page: 73 / 110

Share
Download
ST STM32L4 Series User Manual Download Page 73

SM CODE

SPI_SM_2

Detailed implementation

This method is implemented adding to data packets transferred by SPI a redundancy check
(such as a 

CRC

 check, or similar one) with encoding capability. The checksum encoding

capability must be robust enough to guarantee at least 90% probability of detection for a
single bit flip in the data packet.

Consistency of data packet must be checked by 

Application software

 before consuming data.

Error reporting

Depends on implementation

Fault detection time

Depends on implementation

Addressed fault model

Permanent/transient

Dependency on 

Device

 configuration

None

Initialization

Depends on implementation

Periodicity

On demand

Test for the diagnostic

Not applicable

Multiple-fault protection

CPU_SM_0: Periodic core self-test software

Recommendations and known limitations

It is assumed that the remote SPI counterpart has an equivalent capability of performing the
check described.

To give an example on checksum encoding capability, using just a bit-by-bit addition is
unappropriated.

Table 130. 

SPI_SM_3

SM CODE

SPI_SM_3

Description

CRC

 packet-level

Ownership

ST

Detailed implementation

SPI communication module allows to activate automatic insertion (and check) of CRC-8 or
CRC-18 checksums to packet data.

Error reporting

Error flag raise and optional Interrupt Event generation

Fault detection time

Depends on peripheral configuration (for example baud rate). Refer to functional
documentation.

Addressed fault model

Permanent/transient

Dependency on 

Device

 configuration

None

Initialization

Depends on implementation

Periodicity

Continuous

Test for the diagnostic

Direct test procedure for CRC efficiency is not available. CRC run-time hardware failures
leading to disabling such protection fall into multiple-fault scenario, from IEC61508
perspective. Related failures are adequately mitigated by the combination of safety
mechanisms reported in this table, field 

Multiple-fault protection

.

Multiple-fault protection

SPI_SM_2: Information redundancy techniques on messages

Recommendations and known limitations

This method can be part of the implementation for SPI_SM_2 or SPI_SM_4. In that case,
because of the warning issued in the 

Test for the diagnostic

 field, this mechanism can not be

the only one to guarantee message integrity.

Table 131. 

SPI_SM_4

SM CODE

SPI_SM_4

Description

Information redundancy techniques on messages, including end-to-end protection

Ownership

End user

 UM2305

Hardware and software diagnostics

UM2305

 - 

Rev 10

page 73/110

Summary of Contents for STM32L4 Series

Page 1: ...the X CUBE STL software product It provides the essential information pertaining to the applicable functional safety standards which allows system designers to avoid going into unnecessary details The...

Page 2: ...nt item 3 2 D2 1 c constraints on the use of Compliant item or assumptions on which analysis of the behavior or failure rates of the item are based 3 2 D2 2 a the failure modes of Compliant item due t...

Page 3: ...nce documents 1 AN5112 Results of FMEA on STM32L4 and STM32L4 Series microcontrollers 2 AN5111 FMEDA snapshots for STM32L4 and STM32L4 Series microcontrollers UM2305 Reference documents UM2305 Rev 10...

Page 4: ...are development Software development Analysis of new product specification to forecast reliability performance Reliability plan reliability design rules prediction of failure rates for operating life...

Page 5: ...im is being made with respect to the clauses of IEC 61508 series Any mature Compliant item must be described in a safety manual available to End user In this document Compliant item is defined as a sy...

Page 6: ...safety functions consisting of three operations safe acquisition of safety related data from input peripheral s safe execution of Application software program and safe computation of related data saf...

Page 7: ...laiming hardware fault tolerance HFT equal to 1 Achievement of higher safety integrity levels as per IEC61508 2 Table 3 is therefore possible Appropriate separation between the two channels including...

Page 8: ...7 4 5 3 must be considered Figure 5 Allocation and target for STM32 PST System level PST MCU detection FW reaction SW reaction Actuator reaction STM32xx Series duty End user duty ASR3 Compliant item i...

Page 9: ...st operate Device s within its their specified absolute maximum rating capacity operating conditions For electrical specifications and environmental limits of Device s refer to its their technical doc...

Page 10: ...t transient or both and other information If ranked for Fault avoidance method contributes to lower the probability of occurrence of a failure If ranked for Systematic method is conceived to mitigate...

Page 11: ...or hang up Due to their intrinsic nature such failure modes are not addressed by a standard software test method like SM_CPU_0 Therefore it is necessary to implement a run time control of Application...

Page 12: ...nt formula if possible Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Transient Dependency on Device configuration None Initialization D...

Page 13: ...that are not protected by redundancy to implement defensive programming techniques plausibility check of passed values For example enumerated fields are to be checked for consistency Error reporting D...

Page 14: ...er to CPU_SM_1 addresses failure mode of program counter or control structures of CPU Error reporting Reset signal generation Fault detection time Depends on implementation watchdog timeout interval A...

Page 15: ...Firewall can protect a specific part of code or data in the non volatile memory and or it can protect volatile data in the SRAM 1 from interferences by the code executed outside the protected area Ill...

Page 16: ...forcement implemented by the MPU itself The implementation is based on intentionally performing read and write accesses outside the memory areas allowed by the MPU region programming and collecting an...

Page 17: ...isters required for several peripherals Table 15 BUS_SM_1 SM CODE BUS_SM_1 Description Information redundancy in intra chip data exchanges Ownership End user Detailed implementation This method requir...

Page 18: ...under End user responsibility on actual RAM usage by final Application software Table 17 RAM_SM_1 SM CODE RAM_SM_1 Description Parity on SRAM2 Ownership ST Detailed implementation Internal SRAM2 is p...

Page 19: ...Detailed implementation To address transient faults affecting SRAM controller it is required to implement information redundancy on the safety related system variables stored in the RAM The guidelines...

Page 20: ...nly in case of Application software execution from SRAM CPU_SM_1 correct implementation supersedes this requirement Table 21 RAM_SM_5 SM CODE RAM_SM_5 Description Periodic integrity test for Applicati...

Page 21: ...memory interface address decoder are addressed through a dedicated software test that checks the memory cells contents versus the expected value using signature based techniques According to IEC 6150...

Page 22: ...sient Dependency on Device configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple fault protection CPU_SM_0 Periodic core se...

Page 23: ...tatic data encapsulation Ownership End user Detailed implementation If static data are stored in Flash memory encapsulation by a checksum field with encoding capability such as CRC must be implemented...

Page 24: ...nitialization Not applicable Periodicity Not applicable Test for the diagnostic Not applicable Multiple fault protection Not applicable Recommendations and known limitations Filling code can be made o...

Page 25: ...rection interrupt management routine are exposed to potential lack of protection against dual errors until the code part where the ECCC flag is cleared The End users needing to fully address failure m...

Page 26: ...5 Firewall FW Table 33 FWR_SM_0 SM CODE FWR_SM_0 Description Periodic read back of Firewall configuration registers Ownership End user Detailed implementation This method must be applied to Firewall c...

Page 27: ...iguration None Initialization Protection enable by the PVDE bit and the threshold setting in the Power control register PWR_CR Periodicity Continuous Test for the diagnostic Direct test procedure for...

Page 28: ...ware faults in supply voltage system may cause excessive power consumption and consequent temperature rise Error reporting Depends on implementation Fault detection time Depends on implementation Addr...

Page 29: ...to avoid power supply disturbance in presence of a single failure Error reporting Depends on implementation Fault detection time Fault avoidance Addressed fault model None Dependency on Device config...

Page 30: ...Continuous Test for the diagnostic CLK_SM_0 Periodic read back of configuration registers Multiple fault protection CPU_SM_5 External watchdog Recommendations and known limitations It is recommended...

Page 31: ...n Application software CPU_SM_5 External watchdog Recommendations and known limitations Efficiency versus transient faults is negligible It provides only medium efficiency in permanent clock related f...

Page 32: ...d user Detailed implementation This method addresses GPIO lines used as outputs Implementation is done by a loopback scheme connecting the output to a different GPIO line programmed as input and by us...

Page 33: ...ults soft errors that can possibly cause bit flips on GPIO registers at running time 3 6 9 Debug system or peripheral control Table 48 DBG_SM_0 SM CODE DBG_SM_0 Description Watchdog protection Ownersh...

Page 34: ...to protect registers related to hardware diagnostics activation and error reporting chain related features Detailed information on the implementation of this method can be found in Section 3 6 14 Ext...

Page 35: ...to NVIC_SM_0 Fault detection time Refer to NVIC_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer...

Page 36: ...e identification field value and the message type is checked by Application software before consuming data This method when implemented in combination with DMA_SM_4 makes available a kind of virtual c...

Page 37: ...1508 3 Table 2 item 13 requirements for software architecture This method is based on system knowledge of frequency and type of expected DMA transaction For instance an externally connected sensor sup...

Page 38: ...tionality implemented through a deterministic transfer and processing of a set of test images from memory to memory and the checking of the correct execution output image must be generated as per spec...

Page 39: ...rocessing performed by DMA2D is used for the implementation of a safety function system level considerations as consistency checks on objects recognition results may guarantee additional diagnostic co...

Page 40: ...lues are previously stored in RAM and adequately updated after each configuration change The method mainly addresses transient faults affecting the configuration registers by detecting bit flips in th...

Page 41: ...asis Individual counters are maintained for each interrupt request served in order to detect in a given time frame the cases of a no interrupt at all b too many interrupt requests babbling idiot inter...

Page 42: ...y the CPU permanent and transient faults affecting the FSMC memory controller are able to interfere with the access operation by the CPU leading to wrong data or instruction fetches A strong control f...

Page 43: ...dress failure of physical device connected to FSMC port Table 67 FSMC_SM_2 SM CODE FSMC_SM_2 Description Periodic read back of FSMC configuration registers Ownership End user Detailed implementation T...

Page 44: ...o OCTOSPI configuration registers Detailed information on the implementation of this method can be found in Section 3 6 14 Extended interrupt and events controller EXTI Error reporting Refer to NVIC_S...

Page 45: ...obability of detection for a single bit flip in the data packet Consistency of data packet must be checked by Application software before consuming data Error reporting Depends on implementation Fault...

Page 46: ...re Usage of multiple acquisitions followed by average operations is a common technique in industrial applications exposed to electromagnetic interference on sensor lines Table 74 ADC_SM_2 SM CODE ADC_...

Page 47: ...all voltage excursion and linearity Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Permanent Dependency on Device configuration None Ini...

Page 48: ...st for the diagnostic Refer to NVIC_SM_0 Multiple fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 78 DAC_SM_1 SM CODE DAC_SM_1 Description DAC output...

Page 49: ...known limitations Refer to NVIC_SM_0 Table 80 VREF_SM_1 SM CODE VREF_SM_1 Description VREF cross check by ADC reading Ownership End user Detailed implementation This method is based on ADC acquisition...

Page 50: ...detection time Depends on implementation Addressed fault model Permanent transient Dependency on Device configuration None Initialization Depends on implementation Periodicity On demand Test for the...

Page 51: ...nown limitations It is highly probable that this recommendation is satisfied by design on End user application multiple acquisition is a common technique in industrial applications facing electromagne...

Page 52: ...n their use in safety related functions lead to an application level scenario End user is therefore responsible for the mitigation of failure modes affecting the analog section of used OPAMP module s...

Page 53: ...e with spurious EMI disturbs on sensor lines Table 89 DFS_SM_2 SM CODE DFS_SM_2 Description Range check by Application software Ownership End user Detailed implementation This method is implemented as...

Page 54: ...Dependency on Device configuration DCMI interface is available only on selected part numbers Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0...

Page 55: ...d fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0 Multi...

Page 56: ...C_SM_0 Multiple fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 96 DSI_SM_1 SM CODE DSI_SM_1 Description Protocol error signals and information redun...

Page 57: ...Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0 Multiple fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to...

Page 58: ...e it is necessary to leverage on the contribution from other components of the final system 3 6 28 HASH processor HASH Table 100 HASH_SM_0 SM CODE HASH_SM_0 Description Periodic read back of HASH conf...

Page 59: ...ations This detection capability can be used to implement software based tests by processing a predefined message and further checking the expected results which can be executed periodically to early...

Page 60: ...CPU_SM_0 Periodic core self test software Recommendations and known limitations None 3 6 30 Advanced encryption standard hardware accelerator AES Table 104 AES_SM_0 SM CODE AES_SM_0 Description Period...

Page 61: ...ecking the expected results which can be executed periodically to early detect AES failures before its use by application software Table 106 AES_SM_2 SM CODE AES_SM_2 Description Information redundanc...

Page 62: ...n of the method are the following Two timers are programmed with same time base or frequency In case of timer use as a time base use in Application software one of the timer as time base source and th...

Page 63: ...SM CODE ATIM_SM_3 Description Loopback scheme for pulse width modulation PWM outputs Ownership End user Detailed implementation This method is implemented by connecting the PWM to a separate timer cha...

Page 64: ...st for the diagnostic Not applicable Multiple fault protection Not applicable Recommendations and known limitations This method does not address timer configuration changes due to soft errors Note IRT...

Page 65: ...Device configuration None Initialization Depends on implementation Periodicity On demand Test for the diagnostic Not applicable Multiple fault protection CPU_SM_0 Periodic core self test software Reco...

Page 66: ...iodic Test for the diagnostic Not applicable Multiple fault protection CPU_SM_0 Periodic core self test software Recommendations and known limitations This method provides a limited diagnostic coverag...

Page 67: ...is worth noting that the use of timestamp event capture in safety related applications with the MCU in Sleep or Stop mode is prevented by the assumed requirement ASR7 refer to Section 3 3 1 Safety re...

Page 68: ...edundancy techniques on messages Ownership End user Detailed implementation This method is implemented adding to data packets transferred by I2C a redundancy check such as a CRC check or similar one w...

Page 69: ...he only one to guarantee message integrity Enabling related interrupt generation on the detection of errors is highly recommended Table 122 IIC_SM_4 SM CODE IIC_SM_4 Description Information redundancy...

Page 70: ...communication software so the overhead is reduced Error reporting Error flag raise and optional interrupt event generation Fault detection time Depends on peripheral configuration for example baud rat...

Page 71: ...checksum computed over the packet and added to payload Checksum encoding capability must be robust enough to guarantee at least 90 probability of detection for a single bit flip in the data packet Add...

Page 72: ...ocol error signals Ownership ST Detailed implementation SPI communication module embeds protocol error checks like overrun underrun timeout and so on conceived to detect network related abnormal condi...

Page 73: ...n module allows to activate automatic insertion and check of CRC 8 or CRC 18 checksums to packet data Error reporting Error flag raise and optional Interrupt Event generation Fault detection time Depe...

Page 74: ...to SAI configuration registers Detailed information on the implementation of this method can be found in Section 3 6 14 Extended interrupt and events controller EXTI Error reporting Refer to NVIC_SM_...

Page 75: ...Application software checks the coherence between the received data Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Permanent transient...

Page 76: ...gnostic Direct test procedure for CRC efficiency is not available CRC run time hardware failures leading to disabling such protection fall into multiple fault scenario from IEC61508 perspective Relate...

Page 77: ...e correctness of sequence sequence number check no packets lost Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Depends on implementation...

Page 78: ...e configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple fault protection SDIO_SM_2 Information redundancy techniques on mes...

Page 79: ...Fault detection time Refer to NVIC_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0...

Page 80: ...l within the expected time window detecting therefore missed message arrival conditions Application software must verify before consuming data packet its consistency CRC check its legitimacy sender or...

Page 81: ...ult model Permanent transient Dependency on Device configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple fault protection U...

Page 82: ...nsfers are used For other transfers modes the USB hardware protocol already implements several features of this requirement Refer to UART_SM_3 for further notice 3 6 42 Part separation no interference...

Page 83: ...mary of the safety concept recommendations reported in Section 3 6 Hardware and software diagnostics The conditions of use to be applied to STM32L4 and STM32L4 Series devices are reported in form of s...

Page 84: ...cy in intra chip data exchanges X X Embedded SRAM RAM_SM_0 Periodic software test for static random access memory SRAM X RAM_SM_1 Parity on SRAM2 X X RAM_SM_2 Stack hardening for Application software...

Page 85: ...lines X X GPIO_SM_3 GPIO port configuration lock register Debug system or peripheral control DBG_SM_0 Watchdog protection X X LOCK_SM_0 Lock mechanism for configuration options System configuration c...

Page 86: ...s X X ADC_SM_1 Multiple acquisition by Application software X ADC_SM_2 Range check by Application software X X ADC_SM_3 Periodic software test for ADC X ADC_SM_4 1oo2 scheme for ADC inputs X X Digital...

Page 87: ...plication level detection of permanent failures of TSC acquisition X True random number generator RNG RNG_SM_0 Periodic read back of RNG configuration register X X RNG_SM_1 RNG module entropy on line...

Page 88: ...undancy techniques on messages including end to end protection X X Serial peripheral interface SPI SPI_SM_0 Periodic read back of configuration registers X X SPI_SM_1 Protocol error signals X X SPI_SM...

Page 89: ...fety function s implementation Device peripherals CoU_4 End user must implement the required combination of safety mechanism CoUs for each STM32 peripheral used in implementation of safety function s...

Page 90: ...ons inside the MCU System critical MCU modules Every End user application is affected from safety point of view by a failure on these modules Because they are used by every End user application relate...

Page 91: ...oftware based diagnostics refer to safety mechanism description for details The impact is therefore strictly related to how much aggressive the system level PST is see Section 3 3 1 Safety requirement...

Page 92: ...rements for freedom from interferences FFI For a non safety related part End user is allowed to Exclude the part from computing metrics to report in FMEDA and Not implement safety mechanisms as listed...

Page 93: ...w the use of on chip redundancy for integrated circuits with one common semiconductor substrate As there is no on chip redundancy on STM32L4 and STM32L4 Series devices the CCF quantification through t...

Page 94: ...hanisms is therefore highly recommended refer to Section 3 6 11 Direct memory access controller DMA DMA2D DMAMUX for description DMA_SM_0 DMA_SM_1 DMA_SM_2 Note Only DMA_SM_0 must be implemented if DM...

Page 95: ...ated and measured values safety report a document that describes in detail the safety analysis executed on STM32L4 and STM32L4 Series devices and the clause by clause compliance to IEC 61508 STMicroel...

Page 96: ...e systems Part 5 2 Safety requirements Functional 6 1 ISO 13849 1 2015 ISO 13849 2 2012 ISO 13849 1 is a type B1 standard It provides a guideline for the development of Safety related parts of machine...

Page 97: ...ance activity this manual helps to claim the score for item 4 in Table F 1 6 1 2 ISO 13849 safety metrics computation Appendix C of ISO 13849 presents tables of standardized MTTFd for the various elec...

Page 98: ...ure Clause A 6 7 8 2 2 Equivalent of 1oo1 with HFT 0 no diagnostic function s implemented B 6 7 8 2 3 Equivalent to 1oo2 with HFT 1 a single failure does not lead to the loss of SRCF No diagnostic fun...

Page 99: ...2xx MCU is considered as Type B for the consideration reported in Section 3 2 2 6 3 2 IEC 61800 safety metrics computation The PFH of a safety function performed by PDS SR is evaluated by the applicat...

Page 100: ...roller DMA DMA2D DMAMUX Section RTC_SM_2 Title of Section Quad SPI interface QUADSPI and Octo SPI interface OCTOSPI Title of Section LCD TFT display controller LTDC Section Conditions of use Section C...

Page 101: ...memory FLASH_SM_7 Section 3 6 28 HASH processor HASH HASH_SM_1 Section 3 6 30 Advanced encryption standard hardware accelerator AES AES_SM_1 Section 3 6 33 Real time clock module RTC RTC_SM_2 Section...

Page 102: ...onic control board EUC equipment under control FIT failure in time FMEA failure mode effect analysis FMEDA failure mode effect diagnostic analysis HD high demand HFT hardware fault tolerance HW hardwa...

Page 103: ...assumptions 8 3 4 Electrical specifications and environment limits 9 3 5 Systematic safety integrity 9 3 6 Hardware and software diagnostics 9 3 6 1 Arm Cortex M4 CPU 10 3 6 2 System bus architecture...

Page 104: ...erator RNG 59 3 6 30 Advanced encryption standard hardware accelerator AES 60 3 6 31 Advanced general and low power timer TIM1 2 3 4 5 8 15 16 17 LPTIM1 2 61 3 6 32 Basic timers TIM6 7 64 3 6 33 Real...

Page 105: ...impact analysis for other safety standards 96 6 1 ISO 13849 1 2015 ISO 13849 2 2012 96 6 1 1 ISO 13849 architectural categories 96 6 1 2 ISO 13849 safety metrics computation 97 6 2 IEC 62061 2005 AMD...

Page 106: ...22 RAM_SM_6 21 Table 23 FLASH_SM_0 21 Table 24 FLASH_SM_1 22 Table 25 FLASH_SM_2 22 Table 26 FLASH_SM_3 23 Table 27 FLASH_SM_4 23 Table 28 FLASH_SM_5 23 Table 29 FLASH_SM_6 24 Table 30 FLASH_SM_7 24 T...

Page 107: ...DC_SM_4 47 Table 77 DAC_SM_0 48 Table 78 DAC_SM_1 48 Table 79 VREF_SM_0 49 Table 80 VREF_SM_1 49 Table 81 COMP_SM_0 49 Table 82 COMP_SM_1 50 Table 83 COMP_SM_2 50 Table 84 COMP_SM_3 51 Table 85 COMP_S...

Page 108: ...able 132 SAI_SM_0 74 Table 133 SAI_SM_1 74 Table 134 SAI_SM_2 75 Table 135 SWPMI_SM_0 75 Table 136 SWPMI_SM_1 76 Table 137 SWPMI_SM_2 76 Table 138 SWPMI_SM_3 77 Table 139 SDIO_SM_0 77 Table 140 SDIO_S...

Page 109: ...s product development process 4 Figure 2 STM32 as Compliant item 5 Figure 3 1oo1 reference architecture 6 Figure 4 1oo2 reference architecture 7 Figure 5 Allocation and target for STM32 PST 8 UM2305 L...

Page 110: ...direct consequential exemplary incidental punitive or other damages including lost profits arising from or relating to your reliance upon or use of this document Purchasers should obtain the latest re...

Reviews:

No comments