background image

Table 99. 

TSC_SM_2

SM CODE

TSC_SM_2

Description

Application-level detection of permanent failures of TSC acquisition

Ownership

End user

Detailed implementation

This method must detect TSC module permanent failure leading to wrong or missing
acquisition of touch sensing events.

Error reporting

Depends on implementation

Fault detection time

Depends on implementation

Addressed fault model

Permanent

Dependency on 

Device

 configuration

None

Initialization

Depends on implementation

Periodicity

Periodic

Test for the diagnostic

Not applicable

Multiple-fault protection

CPU_SM_0: Periodic core self-test software

Recommendations and known limitations

Due to the strictly application-dependent nature of this solution, no detailed guidelines for
its implementation are given here. As a solution fully based on microcontroller resources is
impossible, it is necessary to leverage on the contribution from other components of the final
system.

3.6.28

HASH processor (HASH)

Table 100. 

HASH_SM_0

SM CODE

HASH_SM_0

Description

Periodic read-back of HASH configuration registers

Ownership

End user

Detailed implementation

This method must be applied to HASH configuration registers.
Detailed information on the implementation of this method can be found in

Section  3.6.14  Extended interrupt and events controller (EXTI)

.

Error reporting

Refer to NVIC_SM_0

Fault detection time

Refer to NVIC_SM_0

Addressed fault model

Refer to NVIC_SM_0

Dependency on 

Device

 configuration

HASH module available only on specific part numbers

Initialization

Refer to NVIC_SM_0

Periodicity

Refer to NVIC_SM_0

Test for the diagnostic

Refer to NVIC_SM_0

Multiple-fault protection

Refer to NVIC_SM_0

Recommendations and known limitations

Refer to NVIC_SM_0

Table 101. 

HASH_SM_1

SM CODE

HASH_SM_1

Description

HASH processing collateral detection

Ownership

ST

 UM2305

Hardware and software diagnostics

UM2305

 - 

Rev 10

page 58/110

Содержание STM32L4 Series

Страница 1: ...the X CUBE STL software product It provides the essential information pertaining to the applicable functional safety standards which allows system designers to avoid going into unnecessary details The...

Страница 2: ...nt item 3 2 D2 1 c constraints on the use of Compliant item or assumptions on which analysis of the behavior or failure rates of the item are based 3 2 D2 2 a the failure modes of Compliant item due t...

Страница 3: ...nce documents 1 AN5112 Results of FMEA on STM32L4 and STM32L4 Series microcontrollers 2 AN5111 FMEDA snapshots for STM32L4 and STM32L4 Series microcontrollers UM2305 Reference documents UM2305 Rev 10...

Страница 4: ...are development Software development Analysis of new product specification to forecast reliability performance Reliability plan reliability design rules prediction of failure rates for operating life...

Страница 5: ...im is being made with respect to the clauses of IEC 61508 series Any mature Compliant item must be described in a safety manual available to End user In this document Compliant item is defined as a sy...

Страница 6: ...safety functions consisting of three operations safe acquisition of safety related data from input peripheral s safe execution of Application software program and safe computation of related data saf...

Страница 7: ...laiming hardware fault tolerance HFT equal to 1 Achievement of higher safety integrity levels as per IEC61508 2 Table 3 is therefore possible Appropriate separation between the two channels including...

Страница 8: ...7 4 5 3 must be considered Figure 5 Allocation and target for STM32 PST System level PST MCU detection FW reaction SW reaction Actuator reaction STM32xx Series duty End user duty ASR3 Compliant item i...

Страница 9: ...st operate Device s within its their specified absolute maximum rating capacity operating conditions For electrical specifications and environmental limits of Device s refer to its their technical doc...

Страница 10: ...t transient or both and other information If ranked for Fault avoidance method contributes to lower the probability of occurrence of a failure If ranked for Systematic method is conceived to mitigate...

Страница 11: ...or hang up Due to their intrinsic nature such failure modes are not addressed by a standard software test method like SM_CPU_0 Therefore it is necessary to implement a run time control of Application...

Страница 12: ...nt formula if possible Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Transient Dependency on Device configuration None Initialization D...

Страница 13: ...that are not protected by redundancy to implement defensive programming techniques plausibility check of passed values For example enumerated fields are to be checked for consistency Error reporting D...

Страница 14: ...er to CPU_SM_1 addresses failure mode of program counter or control structures of CPU Error reporting Reset signal generation Fault detection time Depends on implementation watchdog timeout interval A...

Страница 15: ...Firewall can protect a specific part of code or data in the non volatile memory and or it can protect volatile data in the SRAM 1 from interferences by the code executed outside the protected area Ill...

Страница 16: ...forcement implemented by the MPU itself The implementation is based on intentionally performing read and write accesses outside the memory areas allowed by the MPU region programming and collecting an...

Страница 17: ...isters required for several peripherals Table 15 BUS_SM_1 SM CODE BUS_SM_1 Description Information redundancy in intra chip data exchanges Ownership End user Detailed implementation This method requir...

Страница 18: ...under End user responsibility on actual RAM usage by final Application software Table 17 RAM_SM_1 SM CODE RAM_SM_1 Description Parity on SRAM2 Ownership ST Detailed implementation Internal SRAM2 is p...

Страница 19: ...Detailed implementation To address transient faults affecting SRAM controller it is required to implement information redundancy on the safety related system variables stored in the RAM The guidelines...

Страница 20: ...nly in case of Application software execution from SRAM CPU_SM_1 correct implementation supersedes this requirement Table 21 RAM_SM_5 SM CODE RAM_SM_5 Description Periodic integrity test for Applicati...

Страница 21: ...memory interface address decoder are addressed through a dedicated software test that checks the memory cells contents versus the expected value using signature based techniques According to IEC 6150...

Страница 22: ...sient Dependency on Device configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple fault protection CPU_SM_0 Periodic core se...

Страница 23: ...tatic data encapsulation Ownership End user Detailed implementation If static data are stored in Flash memory encapsulation by a checksum field with encoding capability such as CRC must be implemented...

Страница 24: ...nitialization Not applicable Periodicity Not applicable Test for the diagnostic Not applicable Multiple fault protection Not applicable Recommendations and known limitations Filling code can be made o...

Страница 25: ...rection interrupt management routine are exposed to potential lack of protection against dual errors until the code part where the ECCC flag is cleared The End users needing to fully address failure m...

Страница 26: ...5 Firewall FW Table 33 FWR_SM_0 SM CODE FWR_SM_0 Description Periodic read back of Firewall configuration registers Ownership End user Detailed implementation This method must be applied to Firewall c...

Страница 27: ...iguration None Initialization Protection enable by the PVDE bit and the threshold setting in the Power control register PWR_CR Periodicity Continuous Test for the diagnostic Direct test procedure for...

Страница 28: ...ware faults in supply voltage system may cause excessive power consumption and consequent temperature rise Error reporting Depends on implementation Fault detection time Depends on implementation Addr...

Страница 29: ...to avoid power supply disturbance in presence of a single failure Error reporting Depends on implementation Fault detection time Fault avoidance Addressed fault model None Dependency on Device config...

Страница 30: ...Continuous Test for the diagnostic CLK_SM_0 Periodic read back of configuration registers Multiple fault protection CPU_SM_5 External watchdog Recommendations and known limitations It is recommended...

Страница 31: ...n Application software CPU_SM_5 External watchdog Recommendations and known limitations Efficiency versus transient faults is negligible It provides only medium efficiency in permanent clock related f...

Страница 32: ...d user Detailed implementation This method addresses GPIO lines used as outputs Implementation is done by a loopback scheme connecting the output to a different GPIO line programmed as input and by us...

Страница 33: ...ults soft errors that can possibly cause bit flips on GPIO registers at running time 3 6 9 Debug system or peripheral control Table 48 DBG_SM_0 SM CODE DBG_SM_0 Description Watchdog protection Ownersh...

Страница 34: ...to protect registers related to hardware diagnostics activation and error reporting chain related features Detailed information on the implementation of this method can be found in Section 3 6 14 Ext...

Страница 35: ...to NVIC_SM_0 Fault detection time Refer to NVIC_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer...

Страница 36: ...e identification field value and the message type is checked by Application software before consuming data This method when implemented in combination with DMA_SM_4 makes available a kind of virtual c...

Страница 37: ...1508 3 Table 2 item 13 requirements for software architecture This method is based on system knowledge of frequency and type of expected DMA transaction For instance an externally connected sensor sup...

Страница 38: ...tionality implemented through a deterministic transfer and processing of a set of test images from memory to memory and the checking of the correct execution output image must be generated as per spec...

Страница 39: ...rocessing performed by DMA2D is used for the implementation of a safety function system level considerations as consistency checks on objects recognition results may guarantee additional diagnostic co...

Страница 40: ...lues are previously stored in RAM and adequately updated after each configuration change The method mainly addresses transient faults affecting the configuration registers by detecting bit flips in th...

Страница 41: ...asis Individual counters are maintained for each interrupt request served in order to detect in a given time frame the cases of a no interrupt at all b too many interrupt requests babbling idiot inter...

Страница 42: ...y the CPU permanent and transient faults affecting the FSMC memory controller are able to interfere with the access operation by the CPU leading to wrong data or instruction fetches A strong control f...

Страница 43: ...dress failure of physical device connected to FSMC port Table 67 FSMC_SM_2 SM CODE FSMC_SM_2 Description Periodic read back of FSMC configuration registers Ownership End user Detailed implementation T...

Страница 44: ...o OCTOSPI configuration registers Detailed information on the implementation of this method can be found in Section 3 6 14 Extended interrupt and events controller EXTI Error reporting Refer to NVIC_S...

Страница 45: ...obability of detection for a single bit flip in the data packet Consistency of data packet must be checked by Application software before consuming data Error reporting Depends on implementation Fault...

Страница 46: ...re Usage of multiple acquisitions followed by average operations is a common technique in industrial applications exposed to electromagnetic interference on sensor lines Table 74 ADC_SM_2 SM CODE ADC_...

Страница 47: ...all voltage excursion and linearity Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Permanent Dependency on Device configuration None Ini...

Страница 48: ...st for the diagnostic Refer to NVIC_SM_0 Multiple fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 78 DAC_SM_1 SM CODE DAC_SM_1 Description DAC output...

Страница 49: ...known limitations Refer to NVIC_SM_0 Table 80 VREF_SM_1 SM CODE VREF_SM_1 Description VREF cross check by ADC reading Ownership End user Detailed implementation This method is based on ADC acquisition...

Страница 50: ...detection time Depends on implementation Addressed fault model Permanent transient Dependency on Device configuration None Initialization Depends on implementation Periodicity On demand Test for the...

Страница 51: ...nown limitations It is highly probable that this recommendation is satisfied by design on End user application multiple acquisition is a common technique in industrial applications facing electromagne...

Страница 52: ...n their use in safety related functions lead to an application level scenario End user is therefore responsible for the mitigation of failure modes affecting the analog section of used OPAMP module s...

Страница 53: ...e with spurious EMI disturbs on sensor lines Table 89 DFS_SM_2 SM CODE DFS_SM_2 Description Range check by Application software Ownership End user Detailed implementation This method is implemented as...

Страница 54: ...Dependency on Device configuration DCMI interface is available only on selected part numbers Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0...

Страница 55: ...d fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0 Multi...

Страница 56: ...C_SM_0 Multiple fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 96 DSI_SM_1 SM CODE DSI_SM_1 Description Protocol error signals and information redun...

Страница 57: ...Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0 Multiple fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to...

Страница 58: ...e it is necessary to leverage on the contribution from other components of the final system 3 6 28 HASH processor HASH Table 100 HASH_SM_0 SM CODE HASH_SM_0 Description Periodic read back of HASH conf...

Страница 59: ...ations This detection capability can be used to implement software based tests by processing a predefined message and further checking the expected results which can be executed periodically to early...

Страница 60: ...CPU_SM_0 Periodic core self test software Recommendations and known limitations None 3 6 30 Advanced encryption standard hardware accelerator AES Table 104 AES_SM_0 SM CODE AES_SM_0 Description Period...

Страница 61: ...ecking the expected results which can be executed periodically to early detect AES failures before its use by application software Table 106 AES_SM_2 SM CODE AES_SM_2 Description Information redundanc...

Страница 62: ...n of the method are the following Two timers are programmed with same time base or frequency In case of timer use as a time base use in Application software one of the timer as time base source and th...

Страница 63: ...SM CODE ATIM_SM_3 Description Loopback scheme for pulse width modulation PWM outputs Ownership End user Detailed implementation This method is implemented by connecting the PWM to a separate timer cha...

Страница 64: ...st for the diagnostic Not applicable Multiple fault protection Not applicable Recommendations and known limitations This method does not address timer configuration changes due to soft errors Note IRT...

Страница 65: ...Device configuration None Initialization Depends on implementation Periodicity On demand Test for the diagnostic Not applicable Multiple fault protection CPU_SM_0 Periodic core self test software Reco...

Страница 66: ...iodic Test for the diagnostic Not applicable Multiple fault protection CPU_SM_0 Periodic core self test software Recommendations and known limitations This method provides a limited diagnostic coverag...

Страница 67: ...is worth noting that the use of timestamp event capture in safety related applications with the MCU in Sleep or Stop mode is prevented by the assumed requirement ASR7 refer to Section 3 3 1 Safety re...

Страница 68: ...edundancy techniques on messages Ownership End user Detailed implementation This method is implemented adding to data packets transferred by I2C a redundancy check such as a CRC check or similar one w...

Страница 69: ...he only one to guarantee message integrity Enabling related interrupt generation on the detection of errors is highly recommended Table 122 IIC_SM_4 SM CODE IIC_SM_4 Description Information redundancy...

Страница 70: ...communication software so the overhead is reduced Error reporting Error flag raise and optional interrupt event generation Fault detection time Depends on peripheral configuration for example baud rat...

Страница 71: ...checksum computed over the packet and added to payload Checksum encoding capability must be robust enough to guarantee at least 90 probability of detection for a single bit flip in the data packet Add...

Страница 72: ...ocol error signals Ownership ST Detailed implementation SPI communication module embeds protocol error checks like overrun underrun timeout and so on conceived to detect network related abnormal condi...

Страница 73: ...n module allows to activate automatic insertion and check of CRC 8 or CRC 18 checksums to packet data Error reporting Error flag raise and optional Interrupt Event generation Fault detection time Depe...

Страница 74: ...to SAI configuration registers Detailed information on the implementation of this method can be found in Section 3 6 14 Extended interrupt and events controller EXTI Error reporting Refer to NVIC_SM_...

Страница 75: ...Application software checks the coherence between the received data Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Permanent transient...

Страница 76: ...gnostic Direct test procedure for CRC efficiency is not available CRC run time hardware failures leading to disabling such protection fall into multiple fault scenario from IEC61508 perspective Relate...

Страница 77: ...e correctness of sequence sequence number check no packets lost Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Depends on implementation...

Страница 78: ...e configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple fault protection SDIO_SM_2 Information redundancy techniques on mes...

Страница 79: ...Fault detection time Refer to NVIC_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0...

Страница 80: ...l within the expected time window detecting therefore missed message arrival conditions Application software must verify before consuming data packet its consistency CRC check its legitimacy sender or...

Страница 81: ...ult model Permanent transient Dependency on Device configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple fault protection U...

Страница 82: ...nsfers are used For other transfers modes the USB hardware protocol already implements several features of this requirement Refer to UART_SM_3 for further notice 3 6 42 Part separation no interference...

Страница 83: ...mary of the safety concept recommendations reported in Section 3 6 Hardware and software diagnostics The conditions of use to be applied to STM32L4 and STM32L4 Series devices are reported in form of s...

Страница 84: ...cy in intra chip data exchanges X X Embedded SRAM RAM_SM_0 Periodic software test for static random access memory SRAM X RAM_SM_1 Parity on SRAM2 X X RAM_SM_2 Stack hardening for Application software...

Страница 85: ...lines X X GPIO_SM_3 GPIO port configuration lock register Debug system or peripheral control DBG_SM_0 Watchdog protection X X LOCK_SM_0 Lock mechanism for configuration options System configuration c...

Страница 86: ...s X X ADC_SM_1 Multiple acquisition by Application software X ADC_SM_2 Range check by Application software X X ADC_SM_3 Periodic software test for ADC X ADC_SM_4 1oo2 scheme for ADC inputs X X Digital...

Страница 87: ...plication level detection of permanent failures of TSC acquisition X True random number generator RNG RNG_SM_0 Periodic read back of RNG configuration register X X RNG_SM_1 RNG module entropy on line...

Страница 88: ...undancy techniques on messages including end to end protection X X Serial peripheral interface SPI SPI_SM_0 Periodic read back of configuration registers X X SPI_SM_1 Protocol error signals X X SPI_SM...

Страница 89: ...fety function s implementation Device peripherals CoU_4 End user must implement the required combination of safety mechanism CoUs for each STM32 peripheral used in implementation of safety function s...

Страница 90: ...ons inside the MCU System critical MCU modules Every End user application is affected from safety point of view by a failure on these modules Because they are used by every End user application relate...

Страница 91: ...oftware based diagnostics refer to safety mechanism description for details The impact is therefore strictly related to how much aggressive the system level PST is see Section 3 3 1 Safety requirement...

Страница 92: ...rements for freedom from interferences FFI For a non safety related part End user is allowed to Exclude the part from computing metrics to report in FMEDA and Not implement safety mechanisms as listed...

Страница 93: ...w the use of on chip redundancy for integrated circuits with one common semiconductor substrate As there is no on chip redundancy on STM32L4 and STM32L4 Series devices the CCF quantification through t...

Страница 94: ...hanisms is therefore highly recommended refer to Section 3 6 11 Direct memory access controller DMA DMA2D DMAMUX for description DMA_SM_0 DMA_SM_1 DMA_SM_2 Note Only DMA_SM_0 must be implemented if DM...

Страница 95: ...ated and measured values safety report a document that describes in detail the safety analysis executed on STM32L4 and STM32L4 Series devices and the clause by clause compliance to IEC 61508 STMicroel...

Страница 96: ...e systems Part 5 2 Safety requirements Functional 6 1 ISO 13849 1 2015 ISO 13849 2 2012 ISO 13849 1 is a type B1 standard It provides a guideline for the development of Safety related parts of machine...

Страница 97: ...ance activity this manual helps to claim the score for item 4 in Table F 1 6 1 2 ISO 13849 safety metrics computation Appendix C of ISO 13849 presents tables of standardized MTTFd for the various elec...

Страница 98: ...ure Clause A 6 7 8 2 2 Equivalent of 1oo1 with HFT 0 no diagnostic function s implemented B 6 7 8 2 3 Equivalent to 1oo2 with HFT 1 a single failure does not lead to the loss of SRCF No diagnostic fun...

Страница 99: ...2xx MCU is considered as Type B for the consideration reported in Section 3 2 2 6 3 2 IEC 61800 safety metrics computation The PFH of a safety function performed by PDS SR is evaluated by the applicat...

Страница 100: ...roller DMA DMA2D DMAMUX Section RTC_SM_2 Title of Section Quad SPI interface QUADSPI and Octo SPI interface OCTOSPI Title of Section LCD TFT display controller LTDC Section Conditions of use Section C...

Страница 101: ...memory FLASH_SM_7 Section 3 6 28 HASH processor HASH HASH_SM_1 Section 3 6 30 Advanced encryption standard hardware accelerator AES AES_SM_1 Section 3 6 33 Real time clock module RTC RTC_SM_2 Section...

Страница 102: ...onic control board EUC equipment under control FIT failure in time FMEA failure mode effect analysis FMEDA failure mode effect diagnostic analysis HD high demand HFT hardware fault tolerance HW hardwa...

Страница 103: ...assumptions 8 3 4 Electrical specifications and environment limits 9 3 5 Systematic safety integrity 9 3 6 Hardware and software diagnostics 9 3 6 1 Arm Cortex M4 CPU 10 3 6 2 System bus architecture...

Страница 104: ...erator RNG 59 3 6 30 Advanced encryption standard hardware accelerator AES 60 3 6 31 Advanced general and low power timer TIM1 2 3 4 5 8 15 16 17 LPTIM1 2 61 3 6 32 Basic timers TIM6 7 64 3 6 33 Real...

Страница 105: ...impact analysis for other safety standards 96 6 1 ISO 13849 1 2015 ISO 13849 2 2012 96 6 1 1 ISO 13849 architectural categories 96 6 1 2 ISO 13849 safety metrics computation 97 6 2 IEC 62061 2005 AMD...

Страница 106: ...22 RAM_SM_6 21 Table 23 FLASH_SM_0 21 Table 24 FLASH_SM_1 22 Table 25 FLASH_SM_2 22 Table 26 FLASH_SM_3 23 Table 27 FLASH_SM_4 23 Table 28 FLASH_SM_5 23 Table 29 FLASH_SM_6 24 Table 30 FLASH_SM_7 24 T...

Страница 107: ...DC_SM_4 47 Table 77 DAC_SM_0 48 Table 78 DAC_SM_1 48 Table 79 VREF_SM_0 49 Table 80 VREF_SM_1 49 Table 81 COMP_SM_0 49 Table 82 COMP_SM_1 50 Table 83 COMP_SM_2 50 Table 84 COMP_SM_3 51 Table 85 COMP_S...

Страница 108: ...able 132 SAI_SM_0 74 Table 133 SAI_SM_1 74 Table 134 SAI_SM_2 75 Table 135 SWPMI_SM_0 75 Table 136 SWPMI_SM_1 76 Table 137 SWPMI_SM_2 76 Table 138 SWPMI_SM_3 77 Table 139 SDIO_SM_0 77 Table 140 SDIO_S...

Страница 109: ...s product development process 4 Figure 2 STM32 as Compliant item 5 Figure 3 1oo1 reference architecture 6 Figure 4 1oo2 reference architecture 7 Figure 5 Allocation and target for STM32 PST 8 UM2305 L...

Страница 110: ...direct consequential exemplary incidental punitive or other damages including lost profits arising from or relating to your reliance upon or use of this document Purchasers should obtain the latest re...

Отзывы: