Iso 26262 Safety Metrics Computation; Iso 26262 Work Products; Table 125. Iec 26262 Work Product Grid - ST STM32F2 Series User Manual

A.4.2

ISO 26262 safety metrics computation

Hardware metrics in ISO 26262 standard have been defined with a slightly different perspective from IEC61508:
• Single Point Fault Metric (SPFm): defined with the same formula of SFF in IEC61508, can differ according to
different definition of safe faults (see below)
• Diagnostic Coverage (DC) is defined in the same way of IEC61508;
• Latent Faults Metric (LFm): dedicated ISO26262 safety metrics to evaluate the robustness of the design
against faults affecting diagnostic parts. We have no equivalent in IEC61508.
It is worth noting that these failures that are classified in IEC 61508 standard as no-parts/no-effect, in ISO26262
are classified as "safe failures". As a result, IEC61508 computations for SFF are "conservative" and so using as
SPF values taken from STM32F2 Series FMEDA is possible.
For such kind of Commercial Off-the-Shelf (COTS) microcontroller as STM32F2 Series, the natural target in ISO
scenario is ASIL B (90% SPF target for permanent and transient, and 60% for latent). As these are the same
targets as for 1oo1 SIL2 case, it can be assumed that the same set of conditions of use or safety mechanisms
apply. Metrics computations are detailed into the FMEDA for microcontrollers of the STM32F2 Series; note that
the resulting PMHF values comply with the expectations for an ASIL B MCU.
We can conclude that the ASIL B target is achievable with some constraints for the final application. Note that
safety diagnostic measures based on periodical execution of software are executed at least once each FTTI.
For the STM32F2 Series devices, the fulfillment of ASIL B latent faults metrics (60%) is achievable with the
adoption of the same safety mechanism combination that guarantees the microcontroller to be suitable for SIL2
applications.
Note: Due to differences between IEC61508 and ISO26262 interpretation on local targets for microcontroller modules
or functions, safety performances achieved by STM32F2 Series in a SIL2 scenario could be not compatible with
an ISO26262 application based on ISO26262-5, 9.4.3 section (the so-called 'cut-set' approach). If your
ISO26262 safety analysis uses such approach, check carefully STM32F2 Series FMEDA failure rates at function
level.
A.4.3

ISO 26262 work products

The following table lists the work products required by the ISO 26262 standard and their mapping with the work
products from IEC 61508 compliance activity:
IEC 26262
Information to be provided
Technical safety requirements specification
Technical safety concept
Safety analysis reports resulting from requirement
Hardware safety requirements verification report
Hardware safety analysis report
Analysis of the effectiveness of the architecture of the item to cope
with the random hardware failures
Review report of evaluation of the effectiveness of the architecture
of the item to cope with the random hardware failures
Analysis of safety goal violations due to random hardware failures
Review report of evaluation of safety goal violations due to random
hardware failures
Software safety requirements specification
Software architectural design specification
Software verification report (refined)
UM1845 - Rev 4
Table 125. IEC 26262 work product grid
IEC 26262 Part-
Clause
4-6.5.1
4-7.5.1
4-7.5.6
5-6.5.3
5-7.5.2
5-8.5.1
5-8.5.2
5-9.5.1
5-9.5.3
6-6.5.1
6-7.5.1
6-11.5.3
UM1845
ISO 26262:2010
STM32F2 Series
IEC 61508 document
STM32F2 Series Safety Manual
STM32F2 Series FMEDA
End user Responsibility
page 98/108