ST STM32L4 Series User Manual
  1. Manuals
  2. Brands
  3. ST Manuals
  4. Microcontrollers
  5. STM32L4 Series
  6. User manual

ST STM32L4 Series User Manual

Hide thumbs Also See for STM32L4 Series:
Table of Contents

Advertisement

Quick Links

Download this manual
UM2305
User manual
STM32L4 and STM32L4+ Series safety manual
Introduction
This document must be read along with the technical documentation such as reference manual(s) and datasheets for the
STM32L4 and STM32L4+ Series microcontroller devices, available on www.st.com.
It describes how to use the devices in the context of a safety-related system, specifying the user's responsibilities for installation
and operation in order to reach the targeted safety integrity level. It also pertains to the X-CUBE-STL software product.
It provides the essential information pertaining to the applicable functional safety standards, which allows system designers to
avoid going into unnecessary details.
The document is written in compliance with IEC 61508, and it provides information relative to other functional safety standards.
The safety analysis in this manual takes into account the device variation in terms of memory size, available peripherals, and
package.
UM2305 - Rev 10 - June 2021
www.st.com
For further information contact your local STMicroelectronics sales office.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the STM32L4 Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ST STM32L4 Series

Summary of Contents for ST STM32L4 Series

  • Page 1 This document must be read along with the technical documentation such as reference manual(s) and datasheets for the STM32L4 and STM32L4+ Series microcontroller devices, available on www.st.com. It describes how to use the devices in the context of a safety-related system, specifying the user's responsibilities for installation and operation in order to reach the targeted safety integrity level.

  • Page 2: About This Document

    UM2305 About this document About this document Purpose and scope ® ® ‑M4 -based STM32L4 and STM32L4+ Series This document describes how to use Arm Cortex microcontroller unit (MCU) devices (further also referred to as Device(s)) in the context of a safety‑related system, specifying the user's responsibilities for installation and operation, in order to reach the desired safety integrity level.

  • Page 3: Reference Documents

    UM2305 Reference documents Reference documents AN5112: Results of FMEA on STM32L4 and STM32L4+ Series microcontrollers. AN5111: FMEDA snapshots for STM32L4 and STM32L4+ Series microcontrollers. UM2305 - Rev 10 page 3/110...

  • Page 4: Device Development Process

    (package, module, sub-system, hardware, software, and documentation), qualified with ST internal procedures and fitting ST internal or subcontracted manufacturing technologies.

  • Page 5: Reference Safety Architecture

    UM2305 Reference safety architecture Reference safety architecture This section reports details of the STM32L4 and STM32L4+ Series safety architecture. Safety architecture introduction Device(s) analyzed in this document can be used as Compliant item(s) within different safety applications. The aim of this section is to identify such Compliant item(s), that is, to define the context of the analysis with respect to a reference concept definition.

  • Page 6: Reference Safety Architectures - 1Oo1

    UM2305 Compliant item • output processing elements (PEo) transferring safety related data to the remote controller connected to the actuator • in 1oo2 architecture, potentially a further voting processing element (PEv) • the computation processing elements can be involved (to the extent depending to the target safety integrity) in the implementation of local software-based diagnostic functions;...

  • Page 7: Reference Safety Architectures - 1Oo2

    UM2305 Compliant item 3.2.4 Reference safety architectures - 1oo2 1oo2 reference architecture (Figure 4) contains two separate channels, either implemented as 1oo1 reference architecture ensuring safety integrity of Compliant item through combining Device internal processes (implemented safety mechanisms) with external processes WDTe and VMONe. The overall safety integrity is then ensured by the external voter PEv, which allows claiming hardware fault tolerance (HFT) equal to 1.

  • Page 8: Safety Analysis Assumptions

    UM2305 Safety analysis assumptions Safety analysis assumptions This section collects all assumptions made during the safety analysis of Devices. 3.3.1 Safety requirement assumptions The safety concept specification, the overall safety requirement specification and the consequent allocation determine the requirements for Compliant item as further listed. ASR stands for assumed safety requirement. Caution: It is End user’s responsibility to check the compliance of the final application with these assumptions.

  • Page 9: Electrical Specifications And Environment Limits

    However, ST internally assesses the compliance of the Device development flow, through techniques and measures suggested in the IEC 61508-2 Annex F.

  • Page 10: Arm Cortex -M4 Cpu

    The implementation guidelines reported in the following section are for reference only. The safety verification executed by ST during the Device safety analysis and related diagnostic coverage figures reported in this manual (or related documents) are based on such guidelines. For clarity, safety mechanisms are grouped by Device function.

  • Page 11: Table 4. Cpu_Sm_1

    Hardware and software diagnostics SM CODE CPU_SM_0 Ownership End user or ST The software test is built around well-known techniques already addressed by IEC 61508:7, A.3.2 (Self-test by software: walking bit one-channel). To reach the required values of Detailed implementation coverage, the self-test software is specified by means of a detailed analysis of all the CPU failure modes and related failure modes distribution.

  • Page 12: Table 5. Cpu_Sm_2

    UM2305 Hardware and software diagnostics SM CODE CPU_SM_1 Dependency on Device configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple-fault protection CPU_SM_0: Periodic core self-test software Recommendations and known limitations None Table 5. CPU_SM_2 SM CODE CPU_SM_2 Description...

  • Page 13: Table 7. Cpu_Sm_4

    UM2305 Hardware and software diagnostics SM CODE CPU_SM_3 Dependency on Device configuration None Initialization None Periodicity Continuous It is possible to write a test procedure to verify the generation of the HardFault exception; Test for the diagnostic anyway, given the expected minor contribution in terms of hardware random-failure detection, such implementation is optional.

  • Page 14: Table 9. Cpu_Sm_6

    UM2305 Hardware and software diagnostics SM CODE CPU_SM_5 It also contributes to dramatically reduce potential common cause failures, because the external watchdog is clocked and supplied independently of Device. Error reporting Depends on implementation Fault detection time Depends on implementation (watchdog timeout interval) Addressed fault model Permanent/transient Dependency on Device configuration...

  • Page 15: Table 11. Cpu_Sm_8

    UM2305 Hardware and software diagnostics SM CODE CPU_SM_7 Fault detection time Refer to functional documentation Systematic (software errors) Addressed fault model Permanent/transient (only program counter and memory access failures) Dependency on Device configuration None Initialization MPU registers must be programmed at start-up. Periodicity On line Test for the diagnostic...

  • Page 16: System Bus Architecture/Busmatrix

    UM2305 Hardware and software diagnostics SM CODE MPU_SM_0 This method must be applied to MPU configuration registers (also unused by End userApplication software). Detailed implementation Detailed information on the implementation of this method can be found in Section 3.6.14 Extended interrupt and events controller (EXTI).

  • Page 17: Embedded Sram

    Optimizations are therefore possible. 3.6.3 Embedded SRAM Table 16. RAM_SM_0 SM CODE RAM_SM_0 Description Periodic software test for static random access memory (SRAM) Ownership End user or ST UM2305 - Rev 10 page 17/110...

  • Page 18: Table 17. Ram_Sm_1

    UM2305 Hardware and software diagnostics SM CODE RAM_SM_0 To enhance the coverage on SRAM data cells and to ensure adequate coverage for permanent faults affecting the address decoder it is required to execute a periodic software Detailed implementation test on the system RAM memory. The selection of the algorithm must ensure the target SFF coverage for both the RAM cells and the address decoder.

  • Page 19: Table 18. Ram_Sm_2

    UM2305 Hardware and software diagnostics Table 18. RAM_SM_2 SM CODE RAM_SM_2 Description Stack hardening for Application software Ownership End user The stack hardening method is used to enhance Application software robustness to SRAM faults that affect the address decoder. The method is based on source code modification, introducing information redundancy in the stack-passed information to the called functions.

  • Page 20: Table 20. Ram_Sm_4

    UM2305 Hardware and software diagnostics SM CODE RAM_SM_3 Implementation of this safety method shows a partial overlap with an already foreseen method ® ® Recommendations and known limitations for Arm Cortex -M4 (CPU_SM_1); optimizations in implementing both methods are therefore possible.

  • Page 21: Embedded Flash Memory

    Description Periodic software test for Flash memory Ownership End user or ST Permanent faults affecting the system Flash memory interface address decoder are addressed through a dedicated software test that checks the memory cells contents versus the expected value, using signature-based techniques. According to IEC 61508:2 Table A.5,...

  • Page 22: Table 24. Flash_Sm_1

    UM2305 Hardware and software diagnostics SM CODE FLASH_SM_0 The use of internal cyclic redundancy check (CRC) module is recommended. In principle direct memory access (DMA) feature for data transfer can be used. Unused Flash memory sections can be excluded from testing. Table 24.

  • Page 23: Table 26. Flash_Sm_3

    UM2305 Hardware and software diagnostics Table 26. FLASH_SM_3 SM CODE FLASH_SM_3 Description Option byte write protection Ownership This safety mechanism prevents unintended writes on the option byte. The use of this method Detailed implementation is encouraged to enhance end application robustness for systematic faults. Error reporting Write protection exception Fault detection time...

  • Page 24: Table 29. Flash_Sm_6

    UM2305 Hardware and software diagnostics SM CODE FLASH_SM_5 Fault detection time Not applicable Addressed fault model Permanent Dependency on Device configuration None Initialization None (always enabled) Periodicity Startup Test for the diagnostic Not applicable Multiple-fault protection CPU_SM_0: Periodic core self-test software Recommendations and known limitations None Table 29.

  • Page 25: Table 31. Flash_Sm_8

    UM2305 Hardware and software diagnostics SM CODE FLASH_SM_7 Addressed fault model Permanent/transient Dependency on Device configuration None Initialization None Periodicity Continuous Direct test procedure for ECC efficiency is not available. ECC run-time hardware failures leading to disabling such protection, or leading to wrong corrections, fall into multiple-fault Test for the diagnostic scenario, from IEC61508 perspective.

  • Page 26: Firewall (Fw)

    UM2305 Hardware and software diagnostics Table 32. FLASH_SM_9 SM CODE FLASH_SM_9 Description Periodic test by software for Flash memory address decoder Ownership End user Permanent faults affecting the system Flash memory interface address decoder are Detailed implementation addressed through a dedicated software test that checks the memory cells contents versus the expected value.

  • Page 27: Table 35. Vsup_Sm_1

    UM2305 Hardware and software diagnostics SM CODE VSUP_SM_0 This method must be applied to configuration registers. Detailed implementation Detailed information on the implementation of this method can be found in Section 3.6.14 Extended interrupt and events controller (EXTI). Error reporting Refer to NVIC_SM_0 Fault detection time Refer to NVIC_SM_0...

  • Page 28: Table 37. Vsup_Sm_3

    UM2305 Hardware and software diagnostics SM CODE VSUP_SM_2 Error reporting Reset signal generation Fault detection time Depends on implementation (watchdog timeout interval) Addressed fault model Permanent Dependency on Device configuration None IWDG activation. It is recommended to use Hardware watchdog in Option byte settings (IWDG Initialization is automatically enabled after reset).

  • Page 29: Reset And Clock Controller (Rcc)

    UM2305 Hardware and software diagnostics SM CODE VSUP_SM_4 Dependency on Device configuration None Protection enable and threshold programming on selected power rails in Power control Initialization register Periodicity Continuous Test for the diagnostic Not applicable Multiple-fault protection CPU_SM_5: External watchdog This method can be used in conjunction with VSUP_SM_0 to implement a complete Recommendations and known limitations supervision of VDD value...

  • Page 30: Table 41. Clk_Sm_1

    UM2305 Hardware and software diagnostics SM CODE CLK_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0 Multiple-fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 41.

  • Page 31: General-Purpose Input/Output (Gpio)

    UM2305 Hardware and software diagnostics SM CODE CLK_SM_2 Recommendations and known limitations The adoption of an external watchdog (refer to CPU_SM_5) adds further diversity. Table 43. CLK_SM_3 SM CODE CLK_SM_3 Description Internal clock cross-measurement Ownership End user This method is implemented using TIM15/TIM16/TIM17 capabilities to be fed by the 32 KHz RTC clock or an external clock source (if available).

  • Page 32: Table 45. Gpio_Sm_1

    UM2305 Hardware and software diagnostics Table 45. GPIO_SM_1 SM CODE GPIO_SM_1 Description 1oo2 for input GPIO lines Ownership End user This method addresses GPIO lines used as inputs. Implementation is done by connecting the external safety-related signal to two independent GPIO lines. Comparison between the Detailed implementation two GPIO values is executed by Application software each time the signal is used to affect Application software behavior.

  • Page 33: Debug System Or Peripheral Control

    UM2305 Hardware and software diagnostics Table 47. GPIO_SM_3 SM CODE GPIO_SM_3 Description GPIO port configuration lock register Ownership This safety mechanism prevents configuration changes for GPIO registers; it addresses therefore systematic faults in software application. Detailed implementation The use of this method is encouraged to enhance the end-application robustness for systematic faults.

  • Page 34: System Configuration Controller (Syscfg)

    End user In STM32L4 and STM32L4+ Series, several hardware-based safety mechanisms are available (those with the Ownership field set to ST). This method must be applied to any configuration register related to diagnostic measure operations, including error reporting. End Detailed implementation user must therefore individuate configuration registers related to: •...

  • Page 35: Direct Memory Access Controller (Dma/ Dma2D/ Dmamux))

    UM2305 Hardware and software diagnostics SM CODE DIAG_SM_0 • interrupt/NMI enable (if used for diagnostic error management) Error reporting Refer to NVIC_SM_0 Fault detection time Refer to NVIC_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity...

  • Page 36: Table 54. Dma_Sm_2

    UM2305 Hardware and software diagnostics SM CODE DMA_SM_1 Addressed fault model Permanent/transient Dependency on Device configuration None Initialization Depends on implementation Periodicity On demand Test for the diagnostic Not applicable Multiple-fault protection CPU_SM_0: Periodic core self-test software To give an example about checksum encoding capability, using just a bit-by-bit addition is Recommendations and known limitations inappropriate.

  • Page 37: Table 56. Dma_Sm_4

    UM2305 Hardware and software diagnostics SM CODE DMA_SM_3 • errors in single transferred word • wrong order in packed transmitted data Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Permanent Dependency on Device configuration None Initialization Depends on implementation...

  • Page 38: Chrom-Art Accelerator Controller (Dma2D)

    UM2305 Hardware and software diagnostics 3.6.12 Chrom-Art Accelerator controller (DMA2D) Table 57. DMA2D_SM_0 SM CODE DMA2D_SM_0 Description Periodic read-back of configuration registers Ownership End user This method must be applied to DMA2D configuration registers. Detailed implementation Detailed information on the implementation of this method can be found in Section 3.6.14 Extended interrupt and events controller (EXTI).

  • Page 39: Chrom-Grc™ (Gfxmmu)

    UM2305 Hardware and software diagnostics Table 59. DMA2D_SM_2 SM CODE DMA2D_SM_2 Description DMA processing and interrupt awareness Ownership End user This method is based on system knowledge of frequency and type of DMA2D transaction expected. In general, image processing systems are based on a deterministic timing for image framing arrival and processing.

  • Page 40: Extended Interrupt And Events Controller (Exti)

    UM2305 Hardware and software diagnostics Table 61. GFX_SM_1 SM CODE GFX_SM_1 Description Periodic LUT read-back Ownership End user This test is implemented by executing a periodical read-back of the LUT programmed memory Detailed implementation cells versus their expected value. LUT reference values are usually stored in the Flash memory, allowing the implementation of the check feature.

  • Page 41: Cyclic Redundancy-Check Calculation Unit (Crc)

    UM2305 Hardware and software diagnostics SM CODE NVIC_SM_0 Initialization Values of configuration registers must be read after the boot before executing the first check. Periodicity Periodic Test for the diagnostic Not applicable Multiple-fault protection CPU_SM_0: Periodic core self-test software This method addresses only failures affecting configuration registers, and not peripheral core logic or external interface.

  • Page 42: Flexible Static Memory Controller (Fsmc)

    UM2305 Hardware and software diagnostics SM CODE CRC_SM_0 Ownership The CRC algorithm implemented in this module (CRC-32 Ethernet polynomial: 0x4C11DB7) offers excellent features in terms of error detection in the message. Therefore permanent and Detailed implementation transient faults affecting CRC computations are easily detected by any operations using the module to recompute an expected signature.

  • Page 43: Table 67. Fsmc_Sm_2

    UM2305 Hardware and software diagnostics SM CODE FSMC_SM_1 If FSMC interface is used to connect an external memory where safety-relevant data are stored, information redundancy techniques for stored data are able to address faults affecting the FSMC interface. The possible techniques are: Detailed implementation •...

  • Page 44: Quad-Spi Interface And Octo-Spi Interface (Quadspi/Octospi)

    UM2305 Hardware and software diagnostics SM CODE FSMC_SM_3 Error reporting Refer to functional documentation Fault detection time ECC bits are checked during memory reading. Addressed fault model Permanent/transient Dependency on Device configuration FSMC interface is available only on selected part numbers. Initialization None Periodicity...

  • Page 45: Analog-To-Digital Converter (Adc)

    UM2305 Hardware and software diagnostics SM CODE QSPI_SM_1 Addressed fault model Permanent/transient Dependency on Device configuration None Initialization Depends on implementation Periodicity Continuous Direct test procedure for CRC efficiency is not available. CRC run-time hardware failures leading to disabling such protection fall into multiple-fault scenario, from IEC61508 Test for the diagnostic perspective.

  • Page 46: Table 73. Adc_Sm_1

    UM2305 Hardware and software diagnostics SM CODE ADC_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0 Multiple-fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 73.

  • Page 47: Table 75. Adc_Sm_3

    UM2305 Hardware and software diagnostics SM CODE ADC_SM_2 Addressed fault model Depends on implementation Dependency on Device configuration None Initialization Depends on implementation Periodicity Continuous Test for the diagnostic Not applicable Multiple-fault protection CPU_SM_0: Periodic core self-test software The implementation and the related diagnostic efficiency of this safety mechanism are strongly Recommendations and known limitations application-dependent.

  • Page 48: Digital-To-Analog Converter (Dac)

    UM2305 Hardware and software diagnostics SM CODE ADC_SM_4 Test for the diagnostic Not applicable Multiple-fault protection ADC_SM_0: Periodic read-back of configuration registers This method can be used in conjunction with ADC_SM_0 / ADC_SM_2 / ADC_SM_3 to Recommendations and known limitations achieve highest level of ADC module diagnostic coverage.

  • Page 49: Voltage Reference Buffer (Vrefbuf)

    UM2305 Hardware and software diagnostics 3.6.20 Voltage reference buffer (VREFBUF) Table 79. VREF_SM_0 SM CODE VREF_SM_0 Description Periodic read-back of VREFBUF system configuration registers Ownership End user This method must be applied to VREFBUF configuration registers. Detailed implementation Detailed information on the implementation of this method can be found in Section 3.6.14 Extended interrupt and events controller (EXTI).

  • Page 50: Table 82. Comp_Sm_1

    UM2305 Hardware and software diagnostics SM CODE COMP_SM_0 Detailed information on the implementation of this method can be found in Section 3.6.14 Extended interrupt and events controller (EXTI). Error reporting Refer to NVIC_SM_0 Fault detection time Refer to NVIC_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0...

  • Page 51: Table 84. Comp_Sm_3

    UM2305 Hardware and software diagnostics SM CODE COMP_SM_2 Multiple-fault protection CPU_SM_0: Periodic core self-test software Recommendations and known limitations None Table 84. COMP_SM_3 SM CODE COMP_SM_3 Description Multiple acquisition by Application software Ownership End user This method requires that Application software takes a decision not on the basis of a Detailed implementation comparator single-shot transition, but after multiple events or after the permanence of comparator trigger conditions for a certain amount of time.

  • Page 52: Operational Amplifiers (Opamp)

    UM2305 Hardware and software diagnostics 3.6.22 Operational amplifiers (OPAMP) Table 86. AMP_SM_0 SM CODE AMP_SM_0 Description Periodic read-back of OPAMP configuration registers Ownership End user This method must be applied to OPAMP configuration registers. Detailed implementation Detailed information on the implementation of this method can be found in Section 3.6.14 Extended interrupt and events controller (EXTI).

  • Page 53: Table 88. Dfs_Sm_1

    UM2305 Hardware and software diagnostics Table 88. DFS_SM_1 SM CODE DFS_SM_1 Description Multiple acquisition by Application software Ownership End user This method implements a timing information redundancy by executing multiple acquisitions Detailed implementation on the same input signal. Multiple acquisition data are then combined by a filter algorithm to determine the signal correct value.

  • Page 54: Digital Camera Interface (Dcmi)

    UM2305 Hardware and software diagnostics SM CODE DFS_SM_3 Addressed fault model Permanent/transient Dependency on Device configuration None Initialization Depends on implementation Periodicity On demand Test for the diagnostic Not applicable Multiple-fault protection DFS_SM_0: Periodic read-back of DFSDM configuration registers This method can be used in conjunction with DFS_SM_0 to achieve highest level of DFSM Recommendations and known limitations module diagnostic coverage (in alternative to DFS_SM_1 and DFS_SM_2).

  • Page 55: Lcd-Tft Display Controller (Ltdc)

    UM2305 Hardware and software diagnostics SM CODE DCMI_SM_1 Multiple-fault protection DCMI_SM_0: Periodic read-back of DCMI configuration registers (*) For its nature, the detection of an actual hardware failure by this safety mechanism can be confused with functional-related scenarios (e.g. camera device disconnected or powered-off). Recommendations and known limitations It is responsibility of Application software to discriminate, as far as it is technically possible, among different events.

  • Page 56: Dsi Host (Dsi)

    UM2305 Hardware and software diagnostics Note: The above-described safety mechanism addresses the LTDC interface included in STM32 MCUs. Because actual capability of correct image generation on LTDC is not addressed by this safety mechanism, in case such feature is considered safety relevant, End user is warned to evaluate the adoption of adequate system-level measures.

  • Page 57: Touch Sensing Controller (Tsc)

    UM2305 Hardware and software diagnostics Note: The above-described safety mechanisms addresses the DSI interface included in STM32 MCUs, including PHY. Because actual capability of correct physical signal generation to drive the connected monitor is not addressed by these safety mechanisms, in case such feature is considered safety relevant, End user is warned to evaluate the adoption of adequate system-level measures.

  • Page 58: Hash Processor (Hash)

    UM2305 Hardware and software diagnostics Table 99. TSC_SM_2 SM CODE TSC_SM_2 Description Application-level detection of permanent failures of TSC acquisition Ownership End user This method must detect TSC module permanent failure leading to wrong or missing Detailed implementation acquisition of touch sensing events. Error reporting Depends on implementation Fault detection time...

  • Page 59: True Random Number Generator (Rng)

    Test for the diagnostic Refer to NVIC_SM_0 Multiple-fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 103. RNG_SM_1 SM CODE RNG_SM_1 Description RNG module entropy on-line tests Ownership ST and End user UM2305 - Rev 10 page 59/110...

  • Page 60: Advanced Encryption Standard Hardware Accelerator (Aes)

    UM2305 Hardware and software diagnostics SM CODE RNG_SM_1 RNG module include an internal diagnostic for the analog source entropy that can be used to detect failures on the module itself. Furthermore, the required test on generated random number difference between the previous one (as required by FIPS PUB 140-2) can be exploited as well.

  • Page 61: Advanced, General, And Low-Power Timer (Tim1/2/3/4/5/8/15/16/17 Lptim1/2)

    UM2305 Hardware and software diagnostics SM CODE AES_SM_1 Encryption and decryption operations performed by AES module are composed by several data manipulations and checks, with different level of complexity according to the selected Detailed implementation chaining algorithm. A major part of the hardware random failures affecting AES module leads to algorithm violations/errors.

  • Page 62: Table 107. Atim_Sm_0

    UM2305 Hardware and software diagnostics Table 107. ATIM_SM_0 SM CODE ATIM_SM_0 Description Periodic read-back of configuration registers Ownership End user This method must be applied to advanced, general-purpose and low-power timer configuration registers. Detailed implementation Detailed information on the implementation of this method can be found in Section 3.6.14 Extended interrupt and events controller (EXTI).

  • Page 63: Table 109. Atim_Sm_2

    UM2305 Hardware and software diagnostics Table 109. ATIM_SM_2 SM CODE ATIM_SM_2 Description 1oo2 for input capture timers Ownership End user This method is conceived to protect timers used for acquisition and measurement of external signals (input capture, encoder reading). The implementation consists in connecting the external signals also to a redundant timer, and checking the coherence of the measured data Detailed implementation at application level.

  • Page 64: Basic Timers (Tim6/7)

    UM2305 Hardware and software diagnostics SM CODE ATIM_SM_3 Efficiency versus transient failures is linked to final application characteristics. We define as Tm the minimum duration of PWM wrong signal permanence (wrong frequency, wrong duty, or Recommendations and known limitations both) required to violate the related safety function(s). Efficiency is maximized when execution test frequency is higher than 1/Tm.

  • Page 65: Real-Time Clock Module (Rtc)

    UM2305 Hardware and software diagnostics Table 113. GTIM_SM_1 SM CODE GTIM_SM_1 Description 1oo2 for counting timers Ownership End user This method implements via software a 1oo2 scheme between two counting resources. The guidelines for the implementation of the method are the following: •...

  • Page 66: Table 115. Rtc_Sm_1

    UM2305 Hardware and software diagnostics Table 115. RTC_SM_1 SM CODE RTC_SM_1 Description Application check of running RTC Ownership End user Application software implements some plausibility check on RTC calendar or timing data, mainly after a power-up and further date reading by RTC. The guidelines for the implementation of the method are the following: •...

  • Page 67: Inter-Integrated Circuit (I2C)

    UM2305 Hardware and software diagnostics Table 117. RTC_SM_3 SM CODE RTC_SM_3 Description Application-level measures to detect failures in timestamps/event capture Ownership End user This method must detect failures affecting the RTC capability to correct execute the Detailed implementation timestamps/event capture functions. Due to the nature strictly application-dependent of this solution, no detailed guidelines for its implementation are given here.

  • Page 68: Table 120. Iic_Sm_2

    UM2305 Hardware and software diagnostics SM CODE IIC_SM_1 I2C communication module embeds protocol error checks (like overrun, underrun, packet error etc.) conceived to detect network-related abnormal conditions. These mechanisms are Detailed implementation able anyway to detect a marginal percentage of hardware random failures affecting the module itself.

  • Page 69: Universal Synchronous/Asynchronous Receiver/Transmitter And Low Power Universal Asychronous Receiver/Transmitter (Usart1/2/3/4/5/6/7/8 And Lpuart)

    UM2305 Hardware and software diagnostics SM CODE IIC_SM_3 I2C communication module allows to activate for specific mode of operation (SMBus) the Detailed implementation automatic insertion (and check) of CRC checksums to packet data. Error reporting Error flag raise and optional Interrupt Event generation Fault detection time Depends on implementation Addressed fault model...

  • Page 70: Table 124. Uart_Sm_1

    UM2305 Hardware and software diagnostics SM CODE UART_SM_0 This method must be applied to USART1/2/3/4/5/6/7/8 and LPUART configuration registers. Detailed implementation Detailed information on the implementation of this method can be found in Section 3.6.14 Extended interrupt and events controller (EXTI).

  • Page 71: Table 126. Uart_Sm_3

    UM2305 Hardware and software diagnostics SM CODE UART_SM_2 Consistency of data packet must be checked by Application software before consuming data. Error reporting Depends on implementation Fault detection time Depends on implementation Addressed fault model Permanent/transient Dependency on Device configuration None Initialization Depends on implementation...

  • Page 72: Serial Peripheral Interface (Spi)

    UM2305 Hardware and software diagnostics 3.6.36 Serial peripheral interface (SPI) Table 127. SPI_SM_0 SM CODE SPI_SM_0 Description Periodic read-back of configuration registers Ownership End user This method must be applied to SPI configuration registers. Detailed implementation Detailed information on the implementation of this method can be found in Section 3.6.14 Extended interrupt and events controller (EXTI).

  • Page 73: Table 130. Spi_Sm_3

    UM2305 Hardware and software diagnostics SM CODE SPI_SM_2 This method is implemented adding to data packets transferred by SPI a redundancy check (such as a CRC check, or similar one) with encoding capability. The checksum encoding capability must be robust enough to guarantee at least 90% probability of detection for a Detailed implementation single bit flip in the data packet.

  • Page 74: Serial Audio Interface (Sai)

    UM2305 Hardware and software diagnostics SM CODE SPI_SM_4 This method aims to protect the communication between SPI peripheral and his external counterpart. Detailed implementation Refer to UART_SM_3 description for detailed information. Error reporting Refer to UART_SM_3 Fault detection time Refer to UART_SM_3 Addressed fault model Refer to UART_SM_3 Dependency on Device configuration...

  • Page 75: Single Wire Protocol Master Interface (Swpmi)

    UM2305 Hardware and software diagnostics SM CODE SAI_SM_1 Fault detection time Depends on implementation Addressed fault model Permanent/transient Dependency on Device configuration None Initialization Depends on implementation Periodicity Continuous/ On demand Test for the diagnostic Not applicable Multiple-fault protection CPU_SM_0: Periodic core self-test software Efficiency versus transient failures is linked to final application characteristics.

  • Page 76: Table 136. Swpmi_Sm_1

    UM2305 Hardware and software diagnostics SM CODE SWPMI_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0 Multiple-fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 136.

  • Page 77: Sd/Sdio/Mmc Card Host Interface (Sdmmc)

    UM2305 Hardware and software diagnostics SM CODE SWPMI_SM_2 Periodicity Periodic Test for the diagnostic Not applicable Multiple-fault protection SWPMI_SM_0: Periodic read-back of configuration registers Recommendations and known limitations Table 138. SWPMI_SM_3 SM CODE SWPMI_SM_3 Description Information redundancy techniques on messages to implement full end-to-end operation Ownership End user This method aims to protect the communication between a peripheral and its external...

  • Page 78: Table 140. Sdio_Sm_1

    UM2305 Hardware and software diagnostics SM CODE SDIO_SM_0 Addressed fault model Refer to NVIC_SM_0 Dependency on Device configuration Refer to NVIC_SM_0 Initialization Refer to NVIC_SM_0 Periodicity Refer to NVIC_SM_0 Test for the diagnostic Refer to NVIC_SM_0 Multiple-fault protection Refer to NVIC_SM_0 Recommendations and known limitations Refer to NVIC_SM_0 Table 140.

  • Page 79: Controller Area Network (Bxcan)

    UM2305 Hardware and software diagnostics SM CODE SDIO_SM_2 Multiple-fault protection CPU_SM_0: Periodic core self-test software To give an example on checksum encoding capability, using just a bit-by-bit addition is unappropriated. Recommendations and known limitations This safety mechanism can overlap with information redundancy techniques implemented at system level to address failure of physical device connected to SDIO/SMMMC port.

  • Page 80: Universal Serial Bus Full-Speed Device Interface (Otg_Fs)

    UM2305 Hardware and software diagnostics SM CODE CAN_SM_1 Test for the diagnostic Not applicable CAN_SM_2: Information redundancy techniques on messages, including end-to-end Multiple-fault protection protection. Recommendations and known limitations Enabling related interrupt generation on the detection of errors is highly recommended. Table 144.

  • Page 81: Table 146. Usb_Sm_1

    USB_SM_2 Description Information redundancy techniques on messages Ownership End user or ST The implementation of required information redundancy on messages, USB communication Detailed implementation module is fitted by hardware capability. It basically allows to activate the automatic insertion (and check) of CRC checksums to packet data.

  • Page 82: Part Separation (No Interference)

    UM2305 Hardware and software diagnostics SM CODE USB_SM_2 Test for the diagnostic Not applicable Multiple-fault protection CPU_SM_0: Periodic core self-test software Recommendations and known limitations None Table 148. USB_SM_3 SM CODE USB_SM_3 Description Information redundancy techniques on messages, including end-to-end protection. Ownership End user This method aims to protect the communication between the USB OTG_FS peripheral and its...

  • Page 83: Conditions Of Use

    UM2305 Conditions of use SM CODE FFI_SM_0 Periodicity Startup Test for the diagnostic Not applicable Multiple-fault protection FFI_SM_1: Periodic read-back of interference avoidance registers Recommendations and known limitations None Table 150. FFI_SM_1 SM CODE FFI_SM_1 Description Periodic read-back of interference avoidance registers Ownership End user This method contributes to the reduction of the probability of cross-interferences between...

  • Page 84: Table 151. List Of Safety Recommendations

    UM2305 Conditions of use The X marker in the Perm and Trans table columns indicates that the related safety mechanism is effective for such fault model. Table 151. List of safety recommendations Diagnostic Description Rank Perm Trans ® ® Cortex ®...
  • Page 85 UM2305 Conditions of use Diagnostic Description Rank Perm Trans Periodic test by software for Flash memory address FLASH_SM_9 decoder Firewall (FW) FWR_SM_0 Periodic read-back of Firewall configuration registers Power controller (PWR) VSUP_SM_0 Periodic read-back of configuration registers VSUP_SM_1 Supply voltage internal monitoring (PVD) VSUP_SM_2 Independent watchdog VSUP_SM_3...
  • Page 86 UM2305 Conditions of use Diagnostic Description Rank Perm Trans GFX_SM_1 Periodic LUT read-back Extended interrupt and events controller (EXTI) NVIC_SM_0 Periodic read-back of configuration registers NVIC_SM_1 Expected and unexpected interrupt check Cyclic redundancy-check calculation unit (CRC) CRC_SM_0 CRC self-coverage Flexible static memory controller (FSMC) FSMC_SM_0 Control flow monitoring in Application software Information redundancy on external memory connected...
  • Page 87 UM2305 Conditions of use Diagnostic Description Rank Perm Trans Digital camera interface (DCMI) DCMI_SM_0 Periodic read-back of DCMI configuration registers DCMI_SM_1 DCMI video input data synchronization LCD-TFT display controller (LTDC) Periodic read-back of LTDC configuration registers and LCD_SM_0 buffer memory LCD_SM_1 LTDC acquisition by ADC channel DSI Host (DSI)
  • Page 88 UM2305 Conditions of use Diagnostic Description Rank Perm Trans Real-time clock module (RTC) RTC_SM_0 Periodic read-back of configuration registers RTC_SM_1 Application check of running RTC RTC_SM_2 Information redundancy on backup registers Application-level measures to detect failures in RTC_SM_3 timestamps/event capture Inter-integrated circuit (I2C) IIC_SM_0 Periodic read-back of configuration registers...
  • Page 89 UM2305 Conditions of use Diagnostic Description Rank Perm Trans Controller area network (bxCAN) CAN_SM_0 Periodic read-back of configuration registers CAN_SM_1 Protocol error signals Information redundancy techniques on messages, CAN_SM_2 including end-to-end protection. Universal serial bus full-speed device interface (OTG_FS) USB_SM_0 Periodic read-back of configuration registers USB_SM_1 Protocol error signals...
  • Page 90 UM2305 Conditions of use 2. Can be considered ranked as “+” if only one safety function is implemented and the presence of non-safety- related software is excluded. 3. Must be considered ranked as “++” if Application software is executed on RAM. The above-described safety mechanism or conditions of use are conceived with different levels of abstraction depending on their nature: the more a safety mechanism is implemented as application-independent, the wider is its possible use on a large range of End user applications.

  • Page 91: Safety Results

    Safety results This section reports the results of the safety analysis of the STM32L4 and STM32L4+ Series devices, according to IEC 61508 and to ST methodology flow, related to the hardware random and dependent failures. Random hardware failure safety results...

  • Page 92: General Requirements For Freedom From Interferences (Ffi)

    UM2305 Random hardware failure safety results In actual End user applications, not all the STM32L4 and STM32L4+ Series parts or modules implement a safety function. That happens if: • The part is not used at all (disabled), or • The part implements functions that are not safety-related (for example, a GPIO line driving a power-on signaling light on an electronic board).

  • Page 93: Notes On Multiple-Fault Scenario

    UM2305 Analysis of dependent failures 4.1.3 Notes on multiple-fault scenario According to the requirements of IEC61508, the safety analysis for STM32L4 and STM32L4+ Series devices considered multiple-fault scenarios. Furthermore, following the spirit of ISO26262 (the reference and state-of-the- art standard norm for integrated circuit safety analysis), the analysis investigated possible causes preventing the implemented safety mechanisms from being effective, in order to determine appropriate counter-measures.

  • Page 94: Dma

    UM2305 Analysis of dependent failures The adoption of such safety mechanism is therefore highly recommended despite their minor contribution to the safety metrics to reach the required safety integrity level. Refer to Section 3.6.7 Reset and clock controller (RCC) for detailed safety mechanisms description. 4.2.3 The DMA function can be involved in data transfers operated by most of the peripherals.

  • Page 95: List Of Evidences

    UM2305 List of evidences List of evidences A safety case database stores all the information related to the safety analysis performed to derive the results and conclusions reported in this safety manual. The safety case database is composed of the following: •...

  • Page 96: Change Impact Analysis For Other Safety Standards

    UM2305 Change impact analysis for other safety standards Change impact analysis for other safety standards The safety analysis reported in this safety manual is executed according to the IEC 61508 safety norm. This section reports the outcome of a change impact analysis with respect to different safety standards. For each new safety standard addressed, the following items are considered: •...

  • Page 97: Iso 13849 Safety Metrics Computation

    When for a certain component PFH << 1 it can be assumed that MTTFd = 1 / PFH. It is worth to note that according ST methodology, FMEDA data includes failure rate related to transient faults without any assumption about their potential partial safeness. Because of this assumption, PFH values in Device FMEDA leads to very conservative values for computed MTTFd.

  • Page 98: Iec 62061:2005+Amd1:2012+Amd2:2015

    UM2305 IEC 62061:2005+AMD1:2012+AMD2:2015 IEC 62061:2005+AMD1:2012+AMD2:2015 This standard is applicable in the specification, design and verification or validation of safety-related electrical control systems (SRECS) of machines. SRECS is the electrical or electronics control system of the machine which failure could lead to reduction or loss of safety. SRECS implements a safety-related control function (SRCF) to prevent any increase of the risk.

  • Page 99: Iec 61800-5-2:2016

    UM2305 IEC 61800-5-2:2016 IEC 61800-5-2:2016 The scope of this standard is the functional safety of adjustable speed electric drive systems. 6.3.1 IEC 61800 architectural categories Because IEC 61800 definitions for HFT and for architectures are equivalent to the ones of IEC61508, the remapping is straightforward.

  • Page 100: Revision History

    UM2305 Revision history Table 156. Document revision history Date Revision Changes 02-Nov-2017 Initial release. Updated: • Section: Advanced, general and low-power timers TIM1/2/3/4/5/8/15/16/17 LPTIM1/2. 13-Nov-2017 • Table : ATIM_SM_0. • Table: List of safety mechanisms. • Table: IEC 60730 required safety mechanism for Class B/C compliance. Updated: •...
  • Page 101 UM2305 Date Revision Changes Updated: • Section 3.6.1 Arm® Cortex®-M4 CPU CPU_SM_0. • Section 3.6.4 Embedded Flash memory FLASH_SM_7. • Section 3.6.28 HASH processor (HASH) HASH_SM_1. 17-Dec-2020 • Section 3.6.30 Advanced encryption standard hardware accelerator (AES) AES_SM_1. • Section 3.6.33 Real-time clock module (RTC) RTC_SM_2.

  • Page 102: Glossary

    UM2305 Glossary Glossary Application software within the software executed by ITRS international technology roadmap for Device, the part that ensures functionality of End user's semiconductors application and integrates safety functions LD low-demand CCF common cause failure MCU microcontroller unit CM continuous mode MPU memory protection unit Compliant item any item subject to claim with respect to the clauses of IEC 61508 series of standards...

  • Page 103: Table Of Contents

    UM2305 Contents Contents About this document ............. . 2 Purpose and scope .
  • Page 104 UM2305 Contents 3.6.14 Extended interrupt and events controller (EXTI) ....... . 40 3.6.15 Cyclic redundancy-check calculation unit (CRC) .
  • Page 105 UM2305 Contents 4.1.1 Safety analysis result customization ......... 91 4.1.2 General requirements for freedom from interferences (FFI) .
  • Page 106 UM2305 List of tables List of tables Table 1. Document sections versus IEC 61508-2 Annex D safety requirements ....... 2 Table 2.
  • Page 107 UM2305 List of tables Table 53. DMA_SM_1 ..............35 Table 54.
  • Page 108 UM2305 List of tables Table 107. ATIM_SM_0 ..............62 Table 108.
  • Page 109 UM2305 List of figures List of figures Figure 1. STMicroelectronics product development process ..........4 Figure 2.
  • Page 110 ST or any of its affiliates, or as to the accuracy or validity of the information contained herein, or concerning any alleged product issue, failure, or defect. ST does not promise that this document is accurate or error free and specifically disclaims all warranties, express or implied, as to the accuracy of the information contained herein.

This manual is also suitable for:

Stm32l4+ series

Table of Contents

Save PDF