SM CODE CPU_SM_5
Detailed implementation
Using an external watchdog linked to control flow monitoring method (refer to CPU_SM_1) addresses
failure mode of program counter or control structures of CPU.
External watchdog can be designed to be able to generate the combination of signals needed on the
final system to achieve the safe state. It is recommended to carefully check the assumed requirements
about system safe state reported in Section 3.3.1 .
It also contributes to reduce potential common cause failures, because the external watchdog is clocked
and supplied independently from the STM32F2 Series
Error reporting Depends on implementation
Fault detection time Depends on implementation (watchdog timeout interval)
Addressed fault model Permanent and Transient
Dependency on MCU configuration None
Initialization Depends on implementation
Periodicity Continuous
Test for the diagnostic To be defined at system level (outside the scope of compliant item analysis)
Multiple faults protection CPU_SM_1: control flow monitoring in application software
Recommendations and known
limitations
In case of usage of windowed watchdog, end user must consider possible tolerance in application
software execution, to avoid false error reports (affecting system availability).
Table 11. CPU_SM_6
SM CODE CPU_SM_6
Description Independent watchdog
Ownership ST
Detailed implementation
Using the IDWG watchdog linked to control flow monitoring method (refer to CPU_SM_1) addresses
failure mode of program counter or control structures of CPU.
Error reporting Reset signal generation
Fault detection time Depends on implementation (watchdog timeout interval)
Addressed fault model Permanent
Dependency on MCU configuration None
Initialization
IWDG activation. It is recommended to use the “Hardware watchdog” in Option byte settings (IWDG is
automatically enabled after reset)
Periodicity Continuous
Test for the diagnostic WDG_SM_1: Software test for watchdog at startup
Multiple faults protection
CPU_SM_1: control flow monitoring in application software
WDG_SM_0: periodical read-back of configuration registers
Recommendations and known
limitations
The IWDG intervention is able to achieve a potentially “incomplete” local safe state because it can only
guarantee that CPU is reset. No guarantee that application software can be still executed to generate
combinations of output signals that might be needed by the external system to achieve the final safe
state. If this limitation turn out in a blocking point, end user must adopt CPU_SM_5
Table 12. CPU_SM_7
SM CODE CPU_SM_7
Description MPU - Memory protection Unit
Ownership ST
UM1845
Description of hardware and software diagnostics
UM1845 - Rev 4
page 16/108
To Next Page