SM CODE RAM_SM_2
Multiple faults protection Refer to CPU_SM_4
Recommendations and known limitations Refer to CPU_SM_4
Table 24. RAM_SM_3
SM CODE RAM_SM_3
Description Information redundancy for safety-related variables in application software
Ownership End user
Detailed implementation
To address transient faults affecting SRAM controller, it is required to implement information redundancy on
the safety-related system variables stored in the RAM.
The guidelines for the implementation of this method are the following:
• The system variables that are safety-related (in the sense that a wrong value due to a failure in
reading on the RAM affects the safety functions) are well-identified and documented.
• The arithmetic computation or decision based on such variables are executed twice and the two final
results are compared.
• Safety-related variables are stored and updated in two redundant locations, and comparison is
checked before consuming data.
• Enumerated fields must use non-trivial values, checked for coherence at least one time per PST
• Data vectors stored in SRAM must be protected by a encoding checksum (like CRC)
Error reporting Depends on implementation
Fault detection time Depends on implementation
Addressed fault model Permanent and Transient
Dependency on MCU
configuration
None
Initialization Depends on implementation
Periodicity On demand
Test for the diagnostic Not needed
Multiple faults protection CPU_SM_0: periodical core self-test software
Recommendations and known
limitations
Implementation of this safety method shows a partial overlap with an already foreseen method for Cortex
®
-
M3 (CPU_SM_1); optimizations in implementing both methods are therefore possible
Table 25. RAM_SM_4
SM CODE RAM_SM_4
Description Control flow monitoring in application software
Ownership End user
Detailed implementation
In case the end user application software is executed from SRAM, permanent and transient faults
affecting the memory (cells and address decoder) can interfere with the program execution.
To address such failures it is needed to implement this method.
For more details on the implementation, refer to description CPU_SM_1
Error reporting Depends on implementation
Fault detection time Depends on implementation. Higher value is fixed by watchdog timeout interval.
Addressed fault model Permanent and Transient
Dependency on MCU configuration None
Initialization Depends on implementation
Periodicity Continuous
UM1845
Description of hardware and software diagnostics
UM1845 - Rev 4
page 23/108
To Next Page
Loading...
