Assumed Requirements; Assumed Safety Requirements - ST STM32F2 Series User Manual

3.3

Assumed requirements

This section collects all assumptions done during the safety analysis of STM32F2 Series microcontrollers
3.3.1

Assumed safety requirements

The concept specification, the hazard and risk analysis, the overall safety requirement specification and the
consequent allocation has determined the requirements for the compliant item (ASR: assumed safety
requirements) listed here below.
Caution: It is the end user's responsibility to check the compliance of the final application with these assumptions.
ASR1: The compliant item can be used for four kinds of safety functions mode of operations according part 4,
3.5.16:
• A continuous mode or high-demand SIL3 safety function (CM3), or
• A low-demand SIL3 safety function (LD3), or
• A continuous mode or high-demand SIL2 safety function (CM2), or
• A low-demand SIL2 safety function (LD2).
ASR2: The compliant item is used to implement a safety function allowing a time budget of 10 ms (worst case) for
the STM32 MCU to detect and react to a failure. That time corresponds to the portion of the Process Safety Time
allocated to STM32F2 Series MCUs ("STM32xx Series duty" in the figure below) in error reaction chain at system
level.
MCU detection
ASR3: The compliant item is used in a safety function that can be continuously powered-on for a time higher than
8 hours. It is assumed to not require any proof test and the lifetime of the product is considered to be not less than
10 years.
ASR4: It is assumed that only one safety function is performed or if many, all functions are classified with the
same SIL and therefore they are not distinguishable in terms of their safety requirements.
ASR5: In case of multiple safety functions implementations, it is assumed that end user is responsible to
guarantee their needed mutual independence.
ASR6: It is assumed that there are no "non-safety related" functions implemented in application software and
coexisting with the safety functions.
ASR7: It is assumed that the implemented safety function(s) is not depending on STM32F2 Series MCU transition
to and from a low-power state.
ASR8: The local safe state of the compliant item is the one in which either:
• SS1: the application software is informed by the presence of a fault and a reaction by the application
software itself is possible
• SS2: the application software cannot be informed by the presence of a fault or the application software is not
able to execute a reaction
1. The end user must take into account that random hardware failures affecting the STM32 can compromise the MCU
capability of operating properly (for example failure modes affecting the program counter prevent the correct execution of
software).
UM1845 - Rev 4
Figure 5. Allocation and target for STM32 PST
STM32xx Series duty
FW reaction
System-level PST
(1)
End user duty
SW reaction Actuator reaction
UM1845
Assumed requirements
....
page 10/108