ST STM32L4 Series User Manual Download Page 89

Page: 89 / 110

Diagnostic

Description

Rank

Perm

Trans

Controller area network (bxCAN)

CAN_SM_0

Periodic read-back of configuration registers

CAN_SM_1

Protocol error signals

CAN_SM_2

Information redundancy techniques on messages,
including end-to-end protection.

Universal serial bus full-speed device interface (OTG_FS)

USB_SM_0

Periodic read-back of configuration registers

USB_SM_1

Protocol error signals

USB_SM_2

Information redundancy techniques on messages

USB_SM_3

Information redundancy techniques on messages,
including end-to-end protection.

Part separation (no interference)

FFI_SM_0

Disable of unused peripherals

FFI_SM_1

Periodic read-back of interference avoidance registers

Arm

Cortex

-M4 CPU

CoU_1

The reset condition of Arm

Cortex

- M4 CPU must be

compatible as valid safe state at system level

Debug

CoU_2

Device

debug features must not be used in safety

function(s) implementation.

Arm

Cortex

-M4 / Supply system

CoU_3

Low-power mode state must not be used in safety
function(s) implementation.

Device peripherals

CoU_4

End user

must implement the required combination of

safety mechanism/CoUs for each STM32 peripheral used
in implementation of safety function(s).

Flash memory subsystem

CoU_5

During Flash memory bank mass erase and
reprogramming there must not be safety functions(s)
executed by

Device

CoU_6

‑

field

Application software

live update by dual

‑

bank

Flash memory system must include the execution of
code/data integrity check through methods such as
FLASH_SM_0

CPU subsystem

CoU_7

In case of multiple safety functions implementations,
methods to guarantee their mutual independence must
include use.

Clock recovery system (CRS)

CoU_8

CRS features must not be used in safety function(s)
implementation.

Device

DUAL_SM_0

Cross-check between two STM32 MCUs

1. To achieve on the single MCU local safety metrics compatible with SIL2 target , method CPU_SM_6 could

be sufficient. Anyway, to understand the rationale behind "++" classification for both methods, refer to the
“Recommendations” row of related description in

Section 3.6 Hardware and software diagnostics

for more

details.

UM2305

Conditions of use

UM2305

Rev 10

page 89/110

Summary of Contents for STM32L4 Series

Page 1: ...the X CUBE STL software product It provides the essential information pertaining to the applicable functional safety standards which allows system designers to avoid going into unnecessary details The...

Page 2: ...nt item 3 2 D2 1 c constraints on the use of Compliant item or assumptions on which analysis of the behavior or failure rates of the item are based 3 2 D2 2 a the failure modes of Compliant item due t...

Page 3: ...nce documents 1 AN5112 Results of FMEA on STM32L4 and STM32L4 Series microcontrollers 2 AN5111 FMEDA snapshots for STM32L4 and STM32L4 Series microcontrollers UM2305 Reference documents UM2305 Rev 10...

Page 4: ...are development Software development Analysis of new product specification to forecast reliability performance Reliability plan reliability design rules prediction of failure rates for operating life...

Page 5: ...im is being made with respect to the clauses of IEC 61508 series Any mature Compliant item must be described in a safety manual available to End user In this document Compliant item is defined as a sy...

Page 6: ...safety functions consisting of three operations safe acquisition of safety related data from input peripheral s safe execution of Application software program and safe computation of related data saf...

Page 7: ...laiming hardware fault tolerance HFT equal to 1 Achievement of higher safety integrity levels as per IEC61508 2 Table 3 is therefore possible Appropriate separation between the two channels including...

Page 8: ...7 4 5 3 must be considered Figure 5 Allocation and target for STM32 PST System level PST MCU detection FW reaction SW reaction Actuator reaction STM32xx Series duty End user duty ASR3 Compliant item i...

Page 9: ...st operate Device s within its their specified absolute maximum rating capacity operating conditions For electrical specifications and environmental limits of Device s refer to its their technical doc...

Page 10: ...t transient or both and other information If ranked for Fault avoidance method contributes to lower the probability of occurrence of a failure If ranked for Systematic method is conceived to mitigate...

Page 11: ...or hang up Due to their intrinsic nature such failure modes are not addressed by a standard software test method like SM_CPU_0 Therefore it is necessary to implement a run time control of Application...

Page 12: ...nt formula if possible Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Transient Dependency on Device configuration None Initialization D...

Page 13: ...that are not protected by redundancy to implement defensive programming techniques plausibility check of passed values For example enumerated fields are to be checked for consistency Error reporting D...

Page 14: ...er to CPU_SM_1 addresses failure mode of program counter or control structures of CPU Error reporting Reset signal generation Fault detection time Depends on implementation watchdog timeout interval A...

Page 15: ...Firewall can protect a specific part of code or data in the non volatile memory and or it can protect volatile data in the SRAM 1 from interferences by the code executed outside the protected area Ill...

Page 16: ...forcement implemented by the MPU itself The implementation is based on intentionally performing read and write accesses outside the memory areas allowed by the MPU region programming and collecting an...

Page 17: ...isters required for several peripherals Table 15 BUS_SM_1 SM CODE BUS_SM_1 Description Information redundancy in intra chip data exchanges Ownership End user Detailed implementation This method requir...

Page 18: ...under End user responsibility on actual RAM usage by final Application software Table 17 RAM_SM_1 SM CODE RAM_SM_1 Description Parity on SRAM2 Ownership ST Detailed implementation Internal SRAM2 is p...

Page 19: ...Detailed implementation To address transient faults affecting SRAM controller it is required to implement information redundancy on the safety related system variables stored in the RAM The guidelines...

Page 20: ...nly in case of Application software execution from SRAM CPU_SM_1 correct implementation supersedes this requirement Table 21 RAM_SM_5 SM CODE RAM_SM_5 Description Periodic integrity test for Applicati...

Page 21: ...memory interface address decoder are addressed through a dedicated software test that checks the memory cells contents versus the expected value using signature based techniques According to IEC 6150...

Page 22: ...sient Dependency on Device configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple fault protection CPU_SM_0 Periodic core se...

Page 23: ...tatic data encapsulation Ownership End user Detailed implementation If static data are stored in Flash memory encapsulation by a checksum field with encoding capability such as CRC must be implemented...

Page 24: ...nitialization Not applicable Periodicity Not applicable Test for the diagnostic Not applicable Multiple fault protection Not applicable Recommendations and known limitations Filling code can be made o...

Page 25: ...rection interrupt management routine are exposed to potential lack of protection against dual errors until the code part where the ECCC flag is cleared The End users needing to fully address failure m...

Page 26: ...5 Firewall FW Table 33 FWR_SM_0 SM CODE FWR_SM_0 Description Periodic read back of Firewall configuration registers Ownership End user Detailed implementation This method must be applied to Firewall c...

Page 27: ...iguration None Initialization Protection enable by the PVDE bit and the threshold setting in the Power control register PWR_CR Periodicity Continuous Test for the diagnostic Direct test procedure for...

Page 28: ...ware faults in supply voltage system may cause excessive power consumption and consequent temperature rise Error reporting Depends on implementation Fault detection time Depends on implementation Addr...

Page 29: ...to avoid power supply disturbance in presence of a single failure Error reporting Depends on implementation Fault detection time Fault avoidance Addressed fault model None Dependency on Device config...

Page 30: ...Continuous Test for the diagnostic CLK_SM_0 Periodic read back of configuration registers Multiple fault protection CPU_SM_5 External watchdog Recommendations and known limitations It is recommended...

Page 31: ...n Application software CPU_SM_5 External watchdog Recommendations and known limitations Efficiency versus transient faults is negligible It provides only medium efficiency in permanent clock related f...

Page 32: ...d user Detailed implementation This method addresses GPIO lines used as outputs Implementation is done by a loopback scheme connecting the output to a different GPIO line programmed as input and by us...

Page 33: ...ults soft errors that can possibly cause bit flips on GPIO registers at running time 3 6 9 Debug system or peripheral control Table 48 DBG_SM_0 SM CODE DBG_SM_0 Description Watchdog protection Ownersh...

Page 34: ...to protect registers related to hardware diagnostics activation and error reporting chain related features Detailed information on the implementation of this method can be found in Section 3 6 14 Ext...

Page 35: ...to NVIC_SM_0 Fault detection time Refer to NVIC_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer...

Page 36: ...e identification field value and the message type is checked by Application software before consuming data This method when implemented in combination with DMA_SM_4 makes available a kind of virtual c...

Page 37: ...1508 3 Table 2 item 13 requirements for software architecture This method is based on system knowledge of frequency and type of expected DMA transaction For instance an externally connected sensor sup...

Page 38: ...tionality implemented through a deterministic transfer and processing of a set of test images from memory to memory and the checking of the correct execution output image must be generated as per spec...

Page 39: ...rocessing performed by DMA2D is used for the implementation of a safety function system level considerations as consistency checks on objects recognition results may guarantee additional diagnostic co...

Page 40: ...lues are previously stored in RAM and adequately updated after each configuration change The method mainly addresses transient faults affecting the configuration registers by detecting bit flips in th...

Page 41: ...asis Individual counters are maintained for each interrupt request served in order to detect in a given time frame the cases of a no interrupt at all b too many interrupt requests babbling idiot inter...

Page 42: ...y the CPU permanent and transient faults affecting the FSMC memory controller are able to interfere with the access operation by the CPU leading to wrong data or instruction fetches A strong control f...

Page 43: ...dress failure of physical device connected to FSMC port Table 67 FSMC_SM_2 SM CODE FSMC_SM_2 Description Periodic read back of FSMC configuration registers Ownership End user Detailed implementation T...

Page 44: ...o OCTOSPI configuration registers Detailed information on the implementation of this method can be found in Section 3 6 14 Extended interrupt and events controller EXTI Error reporting Refer to NVIC_S...

Page 45: ...obability of detection for a single bit flip in the data packet Consistency of data packet must be checked by Application software before consuming data Error reporting Depends on implementation Fault...

Page 46: ...re Usage of multiple acquisitions followed by average operations is a common technique in industrial applications exposed to electromagnetic interference on sensor lines Table 74 ADC_SM_2 SM CODE ADC_...

Page 47: ...all voltage excursion and linearity Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Permanent Dependency on Device configuration None Ini...

Page 48: ...st for the diagnostic Refer to NVIC_SM_0 Multiple fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 78 DAC_SM_1 SM CODE DAC_SM_1 Description DAC output...

Page 49: ...known limitations Refer to NVIC_SM_0 Table 80 VREF_SM_1 SM CODE VREF_SM_1 Description VREF cross check by ADC reading Ownership End user Detailed implementation This method is based on ADC acquisition...

Page 50: ...detection time Depends on implementation Addressed fault model Permanent transient Dependency on Device configuration None Initialization Depends on implementation Periodicity On demand Test for the...

Page 51: ...nown limitations It is highly probable that this recommendation is satisfied by design on End user application multiple acquisition is a common technique in industrial applications facing electromagne...

Page 52: ...n their use in safety related functions lead to an application level scenario End user is therefore responsible for the mitigation of failure modes affecting the analog section of used OPAMP module s...

Page 53: ...e with spurious EMI disturbs on sensor lines Table 89 DFS_SM_2 SM CODE DFS_SM_2 Description Range check by Application software Ownership End user Detailed implementation This method is implemented as...

Page 54: ...Dependency on Device configuration DCMI interface is available only on selected part numbers Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0...

Page 55: ...d fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0 Multi...

Page 56: ...C_SM_0 Multiple fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 96 DSI_SM_1 SM CODE DSI_SM_1 Description Protocol error signals and information redun...

Page 57: ...Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0 Multiple fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to...

Page 58: ...e it is necessary to leverage on the contribution from other components of the final system 3 6 28 HASH processor HASH Table 100 HASH_SM_0 SM CODE HASH_SM_0 Description Periodic read back of HASH conf...

Page 59: ...ations This detection capability can be used to implement software based tests by processing a predefined message and further checking the expected results which can be executed periodically to early...

Page 60: ...CPU_SM_0 Periodic core self test software Recommendations and known limitations None 3 6 30 Advanced encryption standard hardware accelerator AES Table 104 AES_SM_0 SM CODE AES_SM_0 Description Period...

Page 61: ...ecking the expected results which can be executed periodically to early detect AES failures before its use by application software Table 106 AES_SM_2 SM CODE AES_SM_2 Description Information redundanc...

Page 62: ...n of the method are the following Two timers are programmed with same time base or frequency In case of timer use as a time base use in Application software one of the timer as time base source and th...

Page 63: ...SM CODE ATIM_SM_3 Description Loopback scheme for pulse width modulation PWM outputs Ownership End user Detailed implementation This method is implemented by connecting the PWM to a separate timer cha...

Page 64: ...st for the diagnostic Not applicable Multiple fault protection Not applicable Recommendations and known limitations This method does not address timer configuration changes due to soft errors Note IRT...

Page 65: ...Device configuration None Initialization Depends on implementation Periodicity On demand Test for the diagnostic Not applicable Multiple fault protection CPU_SM_0 Periodic core self test software Reco...

Page 66: ...iodic Test for the diagnostic Not applicable Multiple fault protection CPU_SM_0 Periodic core self test software Recommendations and known limitations This method provides a limited diagnostic coverag...

Page 67: ...is worth noting that the use of timestamp event capture in safety related applications with the MCU in Sleep or Stop mode is prevented by the assumed requirement ASR7 refer to Section 3 3 1 Safety re...

Page 68: ...edundancy techniques on messages Ownership End user Detailed implementation This method is implemented adding to data packets transferred by I2C a redundancy check such as a CRC check or similar one w...

Page 69: ...he only one to guarantee message integrity Enabling related interrupt generation on the detection of errors is highly recommended Table 122 IIC_SM_4 SM CODE IIC_SM_4 Description Information redundancy...

Page 70: ...communication software so the overhead is reduced Error reporting Error flag raise and optional interrupt event generation Fault detection time Depends on peripheral configuration for example baud rat...

Page 71: ...checksum computed over the packet and added to payload Checksum encoding capability must be robust enough to guarantee at least 90 probability of detection for a single bit flip in the data packet Add...

Page 72: ...ocol error signals Ownership ST Detailed implementation SPI communication module embeds protocol error checks like overrun underrun timeout and so on conceived to detect network related abnormal condi...

Page 73: ...n module allows to activate automatic insertion and check of CRC 8 or CRC 18 checksums to packet data Error reporting Error flag raise and optional Interrupt Event generation Fault detection time Depe...

Page 74: ...to SAI configuration registers Detailed information on the implementation of this method can be found in Section 3 6 14 Extended interrupt and events controller EXTI Error reporting Refer to NVIC_SM_...

Page 75: ...Application software checks the coherence between the received data Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Permanent transient...

Page 76: ...gnostic Direct test procedure for CRC efficiency is not available CRC run time hardware failures leading to disabling such protection fall into multiple fault scenario from IEC61508 perspective Relate...

Page 77: ...e correctness of sequence sequence number check no packets lost Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Depends on implementation...

Page 78: ...e configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple fault protection SDIO_SM_2 Information redundancy techniques on mes...

Page 79: ...Fault detection time Refer to NVIC_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0...

Page 80: ...l within the expected time window detecting therefore missed message arrival conditions Application software must verify before consuming data packet its consistency CRC check its legitimacy sender or...

Page 81: ...ult model Permanent transient Dependency on Device configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple fault protection U...

Page 82: ...nsfers are used For other transfers modes the USB hardware protocol already implements several features of this requirement Refer to UART_SM_3 for further notice 3 6 42 Part separation no interference...

Page 83: ...mary of the safety concept recommendations reported in Section 3 6 Hardware and software diagnostics The conditions of use to be applied to STM32L4 and STM32L4 Series devices are reported in form of s...

Page 84: ...cy in intra chip data exchanges X X Embedded SRAM RAM_SM_0 Periodic software test for static random access memory SRAM X RAM_SM_1 Parity on SRAM2 X X RAM_SM_2 Stack hardening for Application software...

Page 85: ...lines X X GPIO_SM_3 GPIO port configuration lock register Debug system or peripheral control DBG_SM_0 Watchdog protection X X LOCK_SM_0 Lock mechanism for configuration options System configuration c...

Page 86: ...s X X ADC_SM_1 Multiple acquisition by Application software X ADC_SM_2 Range check by Application software X X ADC_SM_3 Periodic software test for ADC X ADC_SM_4 1oo2 scheme for ADC inputs X X Digital...

Page 87: ...plication level detection of permanent failures of TSC acquisition X True random number generator RNG RNG_SM_0 Periodic read back of RNG configuration register X X RNG_SM_1 RNG module entropy on line...

Page 88: ...undancy techniques on messages including end to end protection X X Serial peripheral interface SPI SPI_SM_0 Periodic read back of configuration registers X X SPI_SM_1 Protocol error signals X X SPI_SM...

Page 89: ...fety function s implementation Device peripherals CoU_4 End user must implement the required combination of safety mechanism CoUs for each STM32 peripheral used in implementation of safety function s...

Page 90: ...ons inside the MCU System critical MCU modules Every End user application is affected from safety point of view by a failure on these modules Because they are used by every End user application relate...

Page 91: ...oftware based diagnostics refer to safety mechanism description for details The impact is therefore strictly related to how much aggressive the system level PST is see Section 3 3 1 Safety requirement...

Page 92: ...rements for freedom from interferences FFI For a non safety related part End user is allowed to Exclude the part from computing metrics to report in FMEDA and Not implement safety mechanisms as listed...

Page 93: ...w the use of on chip redundancy for integrated circuits with one common semiconductor substrate As there is no on chip redundancy on STM32L4 and STM32L4 Series devices the CCF quantification through t...

Page 94: ...hanisms is therefore highly recommended refer to Section 3 6 11 Direct memory access controller DMA DMA2D DMAMUX for description DMA_SM_0 DMA_SM_1 DMA_SM_2 Note Only DMA_SM_0 must be implemented if DM...

Page 95: ...ated and measured values safety report a document that describes in detail the safety analysis executed on STM32L4 and STM32L4 Series devices and the clause by clause compliance to IEC 61508 STMicroel...

Page 96: ...e systems Part 5 2 Safety requirements Functional 6 1 ISO 13849 1 2015 ISO 13849 2 2012 ISO 13849 1 is a type B1 standard It provides a guideline for the development of Safety related parts of machine...

Page 97: ...ance activity this manual helps to claim the score for item 4 in Table F 1 6 1 2 ISO 13849 safety metrics computation Appendix C of ISO 13849 presents tables of standardized MTTFd for the various elec...

Page 98: ...ure Clause A 6 7 8 2 2 Equivalent of 1oo1 with HFT 0 no diagnostic function s implemented B 6 7 8 2 3 Equivalent to 1oo2 with HFT 1 a single failure does not lead to the loss of SRCF No diagnostic fun...

Page 99: ...2xx MCU is considered as Type B for the consideration reported in Section 3 2 2 6 3 2 IEC 61800 safety metrics computation The PFH of a safety function performed by PDS SR is evaluated by the applicat...

Page 100: ...roller DMA DMA2D DMAMUX Section RTC_SM_2 Title of Section Quad SPI interface QUADSPI and Octo SPI interface OCTOSPI Title of Section LCD TFT display controller LTDC Section Conditions of use Section C...

Page 101: ...memory FLASH_SM_7 Section 3 6 28 HASH processor HASH HASH_SM_1 Section 3 6 30 Advanced encryption standard hardware accelerator AES AES_SM_1 Section 3 6 33 Real time clock module RTC RTC_SM_2 Section...

Page 102: ...onic control board EUC equipment under control FIT failure in time FMEA failure mode effect analysis FMEDA failure mode effect diagnostic analysis HD high demand HFT hardware fault tolerance HW hardwa...

Page 103: ...assumptions 8 3 4 Electrical specifications and environment limits 9 3 5 Systematic safety integrity 9 3 6 Hardware and software diagnostics 9 3 6 1 Arm Cortex M4 CPU 10 3 6 2 System bus architecture...

Page 104: ...erator RNG 59 3 6 30 Advanced encryption standard hardware accelerator AES 60 3 6 31 Advanced general and low power timer TIM1 2 3 4 5 8 15 16 17 LPTIM1 2 61 3 6 32 Basic timers TIM6 7 64 3 6 33 Real...

Page 105: ...impact analysis for other safety standards 96 6 1 ISO 13849 1 2015 ISO 13849 2 2012 96 6 1 1 ISO 13849 architectural categories 96 6 1 2 ISO 13849 safety metrics computation 97 6 2 IEC 62061 2005 AMD...

Page 106: ...22 RAM_SM_6 21 Table 23 FLASH_SM_0 21 Table 24 FLASH_SM_1 22 Table 25 FLASH_SM_2 22 Table 26 FLASH_SM_3 23 Table 27 FLASH_SM_4 23 Table 28 FLASH_SM_5 23 Table 29 FLASH_SM_6 24 Table 30 FLASH_SM_7 24 T...

Page 107: ...DC_SM_4 47 Table 77 DAC_SM_0 48 Table 78 DAC_SM_1 48 Table 79 VREF_SM_0 49 Table 80 VREF_SM_1 49 Table 81 COMP_SM_0 49 Table 82 COMP_SM_1 50 Table 83 COMP_SM_2 50 Table 84 COMP_SM_3 51 Table 85 COMP_S...

Page 108: ...able 132 SAI_SM_0 74 Table 133 SAI_SM_1 74 Table 134 SAI_SM_2 75 Table 135 SWPMI_SM_0 75 Table 136 SWPMI_SM_1 76 Table 137 SWPMI_SM_2 76 Table 138 SWPMI_SM_3 77 Table 139 SDIO_SM_0 77 Table 140 SDIO_S...

Page 109: ...s product development process 4 Figure 2 STM32 as Compliant item 5 Figure 3 1oo1 reference architecture 6 Figure 4 1oo2 reference architecture 7 Figure 5 Allocation and target for STM32 PST 8 UM2305 L...

Page 110: ...direct consequential exemplary incidental punitive or other damages including lost profits arising from or relating to your reliance upon or use of this document Purchasers should obtain the latest re...

Search results

Summary of Contents for STM32L4 Series

Reviews:

Related manuals for STM32L4 Series

Brands by name

Popular brands

ST STM32L4 Series, User Manual

Search results

Summary of Contents for STM32L4 Series

Reviews:

Related manuals for STM32L4 Series

Brands by name

Popular brands